Abstract
An \(\ell \)-server Private Information Retrieval (PIR) scheme enables a client to retrieve a data item from a database replicated among \(\ell \) servers while hiding the identity of the item. It is called b-error-correcting if a client can correctly compute the data item even in the presence of b malicious servers. It is known that b-error correction is possible if and only if \(\ell >2b\). In this paper, we first prove that if error correction is perfect, i.e., the client always corrects errors, the minimum communication cost of b-error-correcting \(\ell \)-server PIR is asymptotically equal to that of regular \((\ell -2b)\)-server PIR as a function of the database size n. Secondly, we formalize a relaxed notion of statistical b-error-correcting PIR, which allows non-zero failure probability. We show that as a function of n, the minimum communication cost of statistical b-error-correcting \(\ell \)-server PIR is asymptotically equal to that of regular \((\ell -b)\)-server one, which is at most that of \((\ell -2b)\)-server one. Our main technical contribution is a generic construction of statistical b-error-correcting \(\ell \)-server PIR for any \(\ell >2b\) from regular \((\ell -b)\)-server PIR. We can therefore reduce the problem of determining the optimal communication complexity of error-correcting PIR to determining that of regular PIR. In particular, our construction instantiated with the state-of-the-art PIR schemes and the previous lower bound for single-server PIR result in a separation in terms of communication cost between perfect and statistical error correction for any \(\ell >2b\).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For regular PIR, the authors of [12, 18] introduced the statistical analogue of perfect correctness to derive lower bounds for the communication cost of two-server PIR. Statistical correctness allows a client to output an incorrect value with small probability even if all servers behave honestly (Definition 2).
- 2.
Note that \(\ell \)-private \(\ell \)-server PIR is equivalent to single-server PIR since all the \(\ell \) servers are allowed to collude and hence can be viewed as a single server.
- 3.
We define \(\mathcal {L}_n[s,c]=\exp (c(\log n)^s(\log \log n)^{1-s})\) for \(0\le s\le 1\) and \(c>0\) (see Sect. 3).
- 4.
References
Ambainis, A.: Upper bound on the communication complexity of private information retrieval. In: Degano, P., Gorrieri, R., Marchetti-Spaccamela, A. (eds.) ICALP 1997. LNCS, vol. 1256, pp. 401–407. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-63165-8_196
Banawan, K., Ulukus, S.: The capacity of private information retrieval from byzantine and colluding databases. IEEE Trans. Inf. Theory 65(2), 1206–1219 (2019)
Beimel, A., Ishai, Y., Kushilevitz, E., Raymond, J.F.: Breaking the o(n/sup 1/(2k–1)/) barrier for information-theoretic private information retrieval. In: Proceedings of the 43rd Annual IEEE Symposium on Foundations of Computer Science, pp. 261–270 (2002)
Beimel, A., Ishai, Y.: Information-theoretic private information retrieval: a unified construction. In: Orejas, F., Spirakis, P.G., van Leeuwen, J. (eds.) ICALP 2001. LNCS, vol. 2076, pp. 912–926. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-48224-5_74
Beimel, A., Stahl, Y.: Robust information-theoretic private information retrieval. J. Cryptol. 20(3), 295–321 (2007)
Catalano, D., Fiore, D.: Practical homomorphic MACs for arithmetic circuits. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 336–352. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_21
Chee, Y.M., Feng, T., Ling, S., Wang, H., Zhang, L.F.: Query-efficient locally decodable codes of subexponential length. Comput. Complex. 22(1), 159–189 (2013)
Chor, B., Goldreich, O., Kushilevitz, E., Sudan, M.: Private information retrieval. J. ACM 45(6), 965–982 (1998)
Dvir, Z., Gopi, S.: 2-server PIR with subpolynomial communication. J. ACM 63(4), 1–15 (2016)
Efremenko, K.: 3-query locally decodable codes of subexponential length. SIAM J. Comput. 41(6), 1694–1703 (2012)
Eriguchi, R., Kurosawa, K., Nuida, K.: Multi-server PIR with full error detection and limited error correction. In: 3rd Conference on Information-Theoretic Cryptography (ITC 2022), pp. 1:1–1:20 (2022)
Goldreich, O., Karloff, H., Schulman, L., Trevisan, L.: Lower bounds for linear locally decodable codes and private information retrieval. Comput. Complex. 15(3), 263–296 (2006)
Itoh, T., Suzuki, Y.: Improved constructions for query-efficient locally decodable codes of subexponential length. IEICE Trans. Inf. Syst. E93.D(2), 263–270 (2010)
Kurosawa, K.: How to correct errors in multi-server PIR. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11922, pp. 564–574. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34621-8_20
Rabin, T., Ben-Or, M.: Verifiable secret sharing and multiparty protocols with honest majority. In: Proceedings of the Twenty-First Annual ACM Symposium on Theory of Computing, STOC 1989, pp. 73–85 (1989)
Sun, H., Jafar, S.A.: The capacity of private information retrieval. IEEE Trans. Inf. Theory 63(7), 4075–4088 (2017)
Sun, H., Jafar, S.A.: The capacity of robust private information retrieval with colluding databases. IEEE Trans. Inf. Theory 64(4), 2361–2370 (2018)
Wehner, S., de Wolf, R.: Improved lower bounds for locally decodable codes and private information retrieval. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 1424–1436. Springer, Heidelberg (2005). https://doi.org/10.1007/11523468_115
Woodruff, D., Yekhanin, S.: A geometric approach to information-theoretic private information retrieval. In: 20th Annual IEEE Conference on Computational Complexity (CCC 2005), pp. 275–284 (2005)
Yang, E., Xu, J., Bennett, K.: Private information retrieval in the presence of malicious failures. In: Proceedings 26th Annual International Computer Software and Applications, pp. 805–810 (2002)
Yekhanin, S.: Towards 3-query locally decodable codes of subexponential length. J. ACM (JACM) 55(1), 1–16 (2008)
Acknowledgement
This research was partially supported by JSPS KAKENHI Grant Numbers JP20J20797 and 19H01109, Japan, JST CREST Grant Number JPMJCR2113, Japan, and JST AIP Acceleration Research JPMJCR22U5, Japan.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Definitions
Following [11], we use the notion of tampering functions to formalize a malicious server who corrupts a set of servers and modifies their answers.
Definition 7
(Tampering function). Let \(\varPi =(\mathcal {Q},\mathcal {A},\mathcal {D})\) be an \(\ell \)-server PIR scheme. Let \(T\subseteq [\ell ]\) be a subset. Let f be a function which takes \((\textsf{que}_1,\ldots ,\textsf{que}_\ell )\in (\{0,1\}^{c_\textsf{que}})^\ell \) and \(\boldsymbol{a}\in \{0,1\}^n\) as input, and outputs \((\widetilde{\textsf{ans}}_1,\ldots ,\widetilde{\textsf{ans}}_\ell )\in (\{0,1\}^{c_\textsf{ans}})^\ell \). We say that f is a tampering function for \(\varPi \) with respect to T if for each \(i\in [\ell ]\), it holds that
for some function \(f_i\). We denote the family of all such tampering functions by \(\mathcal {F}_{T}^\varPi \).
Definition 8
(Error-correcting PIR). We say that an \(\ell \)-server PIR scheme \(\varPi =(\mathcal {Q},\mathcal {A},\mathcal {D})\) is \((1-\epsilon _{\textrm{EC}})\)-error-correcting with respect to T if for any \(\boldsymbol{a}=(a_1,\ldots ,a_n)\in \{0,1\}^n\), any \(\tau \in [n]\) and any \(f\in \mathcal {F}_{T}^\varPi \), it holds that
where \((\textsf{que}_1,\ldots ,\textsf{que}_\ell ;\textsf{aux})=\mathcal {Q}(\tau ;r)\). We say that an \(\ell \)-server PIR scheme \(\varPi \) is \((b;1-\epsilon _{\textrm{EC}})\)-error-correcting if it is \((1-\epsilon _{\textrm{EC}})\)-error-correcting with respect to any \(T\subseteq [\ell ]\) of size b.
Definition 9
(Error-detecting PIR). We say that an \(\ell \)-server PIR scheme \(\varPi =(\mathcal {Q},\mathcal {A},\mathcal {D})\) is \((1-\epsilon _{\textrm{ED}})\)-error-detecting with respect to T if the following conditions hold:
-
\(\varPi \) is \((1-\epsilon _{\textrm{ED}})\)-correct.
-
\(\mathcal {D}\) is allowed to output a special symbol \(\bot \) and it holds that for any \(\boldsymbol{a}=(a_1,\ldots ,a_n)\in \{0,1\}^n\), any \(\tau \in [n]\) and any \(f\in \mathcal {F}_{T}^\varPi \),
where \((\textsf{que}_1,\ldots ,\textsf{que}_\ell ;\textsf{aux})=\mathcal {Q}(\tau ;r)\).
We say that an \(\ell \)-server PIR scheme \(\varPi \) is \((b;1-\epsilon _{\textrm{ED}})\)-error-detecting if it is \((1-\epsilon _{\textrm{ED}})\)-error-detecting with respect to any subset T of size b.
B Proof of Theorem 2
Let \(\mathcal {I}=\{(i,j)\in [k]^2:i\ne j\}\). Let \(\varPi \) be a k-server PIR scheme \(\varPi =(\mathcal {Q},\mathcal {A},\mathcal {D})\) described in Figs. 3, 4 and 5.
Communication complexity. The communication complexity of \(\varPi \) is at most
Correctness. Assume that all servers are honest. Let \(\boldsymbol{a}\in \{0,1\}^n\) be a database and \(\tau \in [n]\) be a client’s index. Let \(\nu \in [\lambda ]\). We show that the value \(z^{(\nu )}\) computed at Step 2(b) of \(\mathcal {D}\) is 0 or 1 with probability 1 and is equal to \(a_\tau \) with probability at least \(1-\epsilon \). If so, the union bound implies that it holds that \(\{z^{(\nu )}:\nu \in [\lambda ]\}=\{a_\tau \}\) with probability at least \(1-\lambda \epsilon \), which shows the \((1-\epsilon _{\textrm{ED}})\)-correctness of \(\varPi \).
Assume that \(b^{(\nu )}=0\). We can deal with the other case of \(b^{(\nu )}=1\) similarly. Observe that the first row of \(\boldsymbol{Q}^{(\nu )}\) is
Since all servers are honest, the first row of \(\boldsymbol{A}^{(\nu )}\) is
The \((1-\epsilon )\)-correctness of \(\varPi _0\) implies that
with probability \(1-\epsilon \).
If the client chooses \((i,j)\in \mathcal {I}\) at Step 1(b) of \(\mathcal {Q}\), the (2, i)-th entry of \(\boldsymbol{Q}^{(\nu )}\) is equal to the (2, j)-th entry of \(\boldsymbol{Q}^{(\nu )}\), which is \((j,\textsf{que}_{2,j}^{(\nu )})\). Since Servers i and j are honest, it holds that
Hence, at Step 2(b), the equality holds with probability 1.
Therefore, \(z^{(\nu )}\) is always set to \(y^{(\nu )}\in \{0,1\}\), which is equal to \(a_\tau \) with probability \(1-\epsilon \).
Privacy. Observe that a query vector \((\textsf{que}_i)_{i\in [k]}\) generated by \(\mathcal {Q}\) contains nothing more than \(2\lambda \) independent query vectors \((\textsf{que}_{m,i}^{(\nu )})_{i\in [k]}\) (\(m\in \{1,2\},\nu \in [\lambda ]\)), each generated by \(\mathcal {Q}_0\). Therefore, the t-privacy of \(\varPi \) follows from that of \(\varPi _0\).
Error Detection. We prove that \(\varPi \) is \((b;1-\epsilon _{\textrm{ED}})\)-error-detecting. Let \(\boldsymbol{a}\in \{0,1\}^n\) and \(\tau \in [n]\). Without loss of generality, we may assume that the server \(\textsf{S}_1\) is honest. Let \(T=[k]\setminus \{1\}\) and \(f\in \mathcal {F}_{T}^\varPi \) be a tampering function for \(\varPi \) with respect to T.
Let \(\mathcal {I}_0=\mathcal {I}\times \{0,1\}\). Let \(\mathfrak {R}_{\mathcal {Q}}\) denote the set of all random strings for \(\mathcal {Q}\), that is, \(\mathcal {I}_0^\lambda \times (\mathfrak {R}_{\mathcal {Q}_0}^N)^\lambda \). We suppose that any \((\pi ,r)\in \mathfrak {R}_{\mathcal {Q}}\) is decomposed into \(\pi =(i^{(\nu )},j^{(\nu )},b^{(\nu )})_{\nu \in [\lambda ]}\) and \(r=(r_m^{(\nu )})_{m\in \{1,2\},\nu \in [\lambda ]}\), where \((i^{(\nu )},j^{(\nu )},b^{(\nu )})\in \mathcal {I}_0\) and \(r_m^{(\nu )}\in \mathfrak {R}_{\mathcal {Q}_0}\). We naturally identify any event \(\textsf{A}\) with a subset of \(\mathfrak {R}_{\mathcal {Q}}\) consisting of all random strings on which \(\textsf{A}\) occurs.
Let \(\textsf{E}\) denote the event in which \(\mathcal {D}_0\) outputs an incorrect value even if all servers are honest. Formally, we define
where \(((\textsf{que}_{m,i}^{(\nu )})_{i\in [k]};\textsf{aux}_m^{(\nu )})={\mathcal {Q}_0}(\tau ;r_m^{(\nu )})\) for any \(m\in \{1,2\},\nu \in [\lambda ]\). The \((1-\epsilon )\)-correctness of \(\varPi _0\) implies that \(\textsf{E}\) occurs with probability at most \(2\lambda \epsilon \). Let
For any \((\pi ,r)\in \mathfrak {R}_{\mathcal {Q}}\), let \(w(\pi ,r)\in \{0,1,\bot \}\) denote the value outputted by the client when \((\pi ,r)\) is used to generate queries. Let \(\textsf{F}\) denote the set of all \((\pi ,r)\)’s such that \(w(\pi ,r)=1-a_\tau \).
Let R be the random variable representing . We have that
Fix \(r\notin \mathfrak {R}_{\textsf{E}}\). For every \(\nu \in [\lambda ]\), let \(\textsf{F}^{(\nu )}\) be the event conditioned on \(R=r\) that \(z^{(\nu )}=1-a_\tau \) at the \(\nu \)-th iteration of Step 2 of \(\mathcal {D}\). We have that
Furthermore, we have that
Fix \(\pi ^{(1)},\ldots ,\pi ^{(\nu -1)},\pi ^{(\nu +1)},\ldots ,\pi ^{(\lambda )}\in \mathcal {I}_0\). For ease of reading, let \(\textsf{COND}\) denote the condition of the probability (3). Define an event \(\textsf{BAD}\) that the client picks \(\pi ^{(\nu )}=(i^{(\nu )},j^{(\nu )},b^{(\nu )})\in \mathcal {I}_0\) such that \(i^{(\nu )}\ne 1\). In other words, \(\textsf{BAD}\) means that the client fails to guess that \(\textsf{S}_1\) is honest. Then, we have that
We will show that
Let X denote the set of all \(\pi ^{(\nu )}\in \mathcal {I}_0\) such that
-
\(\pi ^{(\nu )}\in \overline{\textsf{BAD}}\), i.e., it has the form of \(\pi ^{(\nu )}=(1,j^{(\nu )},b^{(\nu )})\);
-
\(\textsf{COND}\) occurs on \(\pi ^{(\nu )}\), i.e., it holds that
$$\begin{aligned} \pi :=(\pi ^{(1)},\ldots ,\pi ^{(\nu -1)},\pi ^{(\nu )},\pi ^{(\nu +1)},\ldots ,\pi ^{(\lambda )})\in \textsf{F}^{(1)}\cap \cdots \cap \textsf{F}^{(\nu -1)}. \end{aligned}$$
Let Y denote a subset consisting of all \(\pi ^{(\nu )}\in X\) satisfying \(\pi \in \textsf{F}^{(1)}\cap \cdots \cap \textsf{F}^{(\nu -1)}\cap \textsf{F}^{(\nu )}\).
If \(X=\emptyset \), then (5) clearly holds. If \(X\ne \emptyset \), choose \(\pi ^{(\nu )}=(1,j^{(\nu )},b^{(\nu )})\in X\) arbitrarily. Denote the queries sent to the malicious servers \(\textsf{S}_2,\ldots ,\textsf{S}_k\) when \(\pi ^{(\nu )}\) is picked at Step 1(b) of \(\mathcal {Q}\), by
We can see that if another \((1,j,b)\in \mathcal {I}_0\) is picked, the queries sent to the malicious servers are the same as (6). Since the tampering function f is deterministic, the answers returned by them are also the same regardless of what is picked as \((j^{(\nu )},b^{(\nu )})\) at Step 1(b) of \(\mathcal {Q}\). Therefore, if \(\textsf{COND}\) occurs on \(\pi ^{(\nu )}\), \(\textsf{COND}\) occurs on every \((1,j,b)\in \mathcal {I}_0\). In particular, we have that \(|X|=2(k-1)\) if \(X\ne \emptyset \).
We have seen that the answers returned by the malicious servers \(\textsf{S}_2,\ldots ,\textsf{S}_k\) are the same for any \(\pi ^{(\nu )}\in X\). We denote the answers by
If all of them are correct, i.e., \(\widetilde{\textsf{ans}}_{m,j}^{(\nu )}=\mathcal {A}_0(j,\textsf{que}_{m,j}^{(\nu )},\boldsymbol{a})\), we obtain that \(Y=\emptyset \). This is because at one of the rows of \(\boldsymbol{A}^{(\nu )}\), the client computes
Since we assume \(\textsf{E}\) does not occur, i.e., \(r\notin \mathfrak {R}_{\textsf{E}}\), an outcome of \(\mathcal {D}_0\) never results in \(1-a_\tau \) and hence \(\textsf{F}^{(\nu )}\) never occurs. Assume that there exist \(m\in \{1,2\}\) and \(j\in \{2,3,\ldots ,k\}\) such that
We can see that \((1,j,1)\notin Y\) if \(m=1\), and that \((1,j,0)\notin Y\) if \(m=2\). To see this, consider the case of \(m=1\). If \(j^{(\nu )}=j\) and \(b^{(\nu )}=1\) are picked at Step 1(b) of \(\mathcal {Q}\), the client detects errors (i.e., outputs \(\bot \)) since he finds the inconsistency
The other case of \(m=2\) is similar. Therefore, if \(X\ne \emptyset \),
which implies (5).
Finally, we obtain from (3) and (4) that
and hence (2) implies that
Therefore, the \((b;1-\epsilon _{\textrm{ED}})\)-error detection follows from (1) and
C Proof of Lemma 1
Define \(\varPi \) as follows:
-
Iterate \(\varPi _0\) \(\lambda \) times in parallel.
-
Let \(y_i\in \{0,1\}\) be the output of the i-th iteration of \(\varPi _0\) for \(i\in [\lambda ]\). If there exists \(y\in \{0,1\}\) such that \(|\{i:y_i=y\}|>|\{i:y_i=1-y\}|\), output y. Otherwise, output 0.
Clearly, the communication complexity of \(\varPi \) is \(\lambda \) times larger than that of \(\varPi _0\) and the t-privacy of \(\varPi \) directly follows from that of \(\varPi _0\). Let \(\boldsymbol{a}\in \{0,1\}^n\) be a database and \(\tau \in [n]\) be a client’s index. The outputs of \(\varPi _0\) are independent and each output is equal to \(a_\tau \) with probability \(1-\epsilon _0\).
Let \(X_i\) be a random variable over \(\{0,1\}\) defined as \(X_i=1\) if and only if \(y_i=a_\tau \). \(X_1,\ldots ,X_\lambda \) are i.i.d. random variables such that . It then follows from the Chernoff bound that
The last inequality follows from
where \(x=1/2-\epsilon _0\).
D Proof of Theorem 3
For \(\varPi _0=(\mathcal {Q}_0,\mathcal {A}_0,\mathcal {D}_0)\), we consider a PIR scheme \(\varPi =(\mathcal {Q},\mathcal {A},\mathcal {D})\) where \((\mathcal {Q},\mathcal {A})\) runs N independent instances of \((\mathcal {Q}_0,\mathcal {A}_0)\) between a client and every subset of k servers and \(\mathcal {D}\) is defined as follows: For each of N executions of \((\mathcal {Q}_0,\mathcal {A}_0)\), \(\mathcal {D}\) runs \(\mathcal {D}_0\) on the corresponding input and adds the output to a list \(\mathcal {L}\). If \(\mathcal {L}=\{s\}\) or \(\mathcal {L}=\{s,\bot \}\) for some \(s\in \{0,1\}\), then \(\mathcal {D}\) outputs s and otherwise outputs 0. The communication complexity of \(\varPi \) is Nc. Since each execution of \(\mathcal {Q}_0\) is done independently, \(\varPi \) is also t-private.
We prove that \(\varPi \) is \((b;1-\epsilon _{\textrm{EC}})\)-error-correcting for \(\epsilon _{\textrm{EC}}=N\epsilon _{\textrm{ED}}\). Let \(\boldsymbol{a}\in \{0,1\}^n\) and \(\tau \in [n]\). Let \(H\in \left( {\begin{array}{c}[\ell ]\\ k\end{array}}\right) \) be a set of honest servers. Let \(f\in \mathcal {F}_{\overline{H}}^\varPi \) be a tampering function for \(\varPi \) with respect to \(\overline{H}\).
Let \(A_1, \ldots , A_N\) be all k-sized subsets of \([\ell ]\) such that \(A_1=H\). Let \(\varPi _0^{(j)}\) denote the instance of \(\varPi _0\) executed by the client and servers in \(A_j\). During the execution of \(\varPi _0^{(j)}\), the client generates
where \(r_j\in \mathfrak {R}_{\mathcal {Q}_0}\) and \(\textsf{que}_i^{(j)}\) is sent to \(\textsf{S}_i\). Then, \(\textsf{S}_i\) receives
In \(\varPi _0^{(1)}\), for any \(i \in A_1\), \(\textsf{S}_i\) returns
In each \(\varPi _0^{(j)}\) for \(j\ne 1\), any server \(\textsf{S}_i\) in \(A_j\) returns
where \(f_i^{(j)}\) is a function determined by f. It then follows from our definition of \(\mathcal {D}\) that
Therefore it is enough to show that
for any \(j\in [N]\setminus \{1\}\).
Let \(j\in [N]\setminus \{1\}\). Fix \(r_{-j}=(r_m)_{m\in [N]\setminus \{j\}}\) arbitrarily. Then \(\textsf{que}_i^{(m)}\) is a fixed constant for any \(m\in [N]\setminus \{j\}\) and \(i\in A_m\). Therefore for \(i\in A_j\), we can write
using some function \(g_{i,r_{-j}}\). Let \(\mathcal {X}_{-j}\) denote the random variable which represents \(r_{-j}\). Since \(|\overline{H}\cap A_j|\le b\) and \(\varPi _0\) is \((b,t;1-\epsilon _{\textrm{ED}})\)-error-detecting, we have that
E Proof of Theorem 5
For \(\boldsymbol{a}=(a_1,\ldots ,a_n)\in \{0,1\}^n\), define \(\boldsymbol{a}^*=(a_1^*,\ldots ,a_n^*)\in \{0,1\}^n\) as the same database as \(\boldsymbol{a}\) except that \(a_1^*=1-a_1\). Let \(B\subseteq [\ell ]\) be a subset of size b and let \(B'=[\ell ]\setminus B\). Let f be a tampering function such that \(f(\textsf{que}_1,\ldots ,\textsf{que}_\ell ,\boldsymbol{a})=(\widetilde{\textsf{ans}}_i)_{i\in [\ell ]}\), where
for any \(i\in [\ell ]\) and \(\textsf{que}_i\in \{0,1\}^{c_\textsf{que}}\). Also, let \(f'\) be a tampering function such that \(f'(\textsf{que}_1,\ldots ,\textsf{que}_\ell ,\boldsymbol{a})=(\widetilde{\textsf{ans}}_i')_{i\in [\ell ]}\), where
for any \(i\in [\ell ]\) and \(\textsf{que}_i\in \{0,1\}^{c_\textsf{que}}\). Note that \(f\in \mathcal {F}_{B}^\varPi \) and \(f'\in \mathcal {F}_{B'}^\varPi \). Also note that \((\boldsymbol{a}^*)^*=\boldsymbol{a}\) and that \(i\notin B\) is equivalent to \(i\in B'\). Thus, we have that
for any \(\boldsymbol{a}\in \{0,1\}^n\) and \(\textsf{que}_1,\ldots ,\textsf{que}_\ell \in \{0,1\}^{c_\textsf{que}}\).
Fix \(\boldsymbol{a}\in \{0,1\}^n\) arbitrarily. Define a subset S (resp. \(S'\)) of \(\mathfrak {R}_{\mathcal {Q}}\) as
where \((\textsf{que}_1,\ldots ,\textsf{que}_\ell ;\textsf{aux})=\mathcal {Q}(1;r)\). It follows from Eq. (7) and \(a^*_1=1-a_1\ne a_1\) that \(S\cap S'=\emptyset \). On the other hand, since \(|B|=b\) and \(|B'|=\ell -b\le b\), the \((b;1-\epsilon _{\textrm{EC}})\)-error correction of \(\varPi \) implies that \(|S|\ge (1-\epsilon _{\textrm{EC}})|\mathfrak {R}_{\mathcal {Q}}|\) and \(|S'|\ge (1-\epsilon _{\textrm{EC}})|\mathfrak {R}_{\mathcal {Q}}|\). Therefore, we have that
and \(\epsilon _{\textrm{EC}}\ge 1/2\).
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Eriguchi, R., Kurosawa, K., Nuida, K. (2022). On the Optimal Communication Complexity of Error-Correcting Multi-server PIR. In: Kiltz, E., Vaikuntanathan, V. (eds) Theory of Cryptography. TCC 2022. Lecture Notes in Computer Science, vol 13749. Springer, Cham. https://doi.org/10.1007/978-3-031-22368-6_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-22368-6_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22367-9
Online ISBN: 978-3-031-22368-6
eBook Packages: Computer ScienceComputer Science (R0)