On the Optimal Communication Complexity of Error-Correcting Multi-server PIR

Abstract

An \(\ell \)-server Private Information Retrieval (PIR) scheme enables a client to retrieve a data item from a database replicated among \(\ell \) servers while hiding the identity of the item. It is called b-error-correcting if a client can correctly compute the data item even in the presence of b malicious servers. It is known that b-error correction is possible if and only if \(\ell >2b\). In this paper, we first prove that if error correction is perfect, i.e., the client always corrects errors, the minimum communication cost of b-error-correcting \(\ell \)-server PIR is asymptotically equal to that of regular \((\ell -2b)\)-server PIR as a function of the database size n. Secondly, we formalize a relaxed notion of statistical b-error-correcting PIR, which allows non-zero failure probability. We show that as a function of n, the minimum communication cost of statistical b-error-correcting \(\ell \)-server PIR is asymptotically equal to that of regular \((\ell -b)\)-server one, which is at most that of \((\ell -2b)\)-server one. Our main technical contribution is a generic construction of statistical b-error-correcting \(\ell \)-server PIR for any \(\ell >2b\) from regular \((\ell -b)\)-server PIR. We can therefore reduce the problem of determining the optimal communication complexity of error-correcting PIR to determining that of regular PIR. In particular, our construction instantiated with the state-of-the-art PIR schemes and the previous lower bound for single-server PIR result in a separation in terms of communication cost between perfect and statistical error correction for any \(\ell >2b\).

Appendices

A Definitions

Following [11], we use the notion of tampering functions to formalize a malicious server who corrupts a set of servers and modifies their answers.

Definition 7

(Tampering function). Let \(\varPi =(\mathcal {Q},\mathcal {A},\mathcal {D})\) be an \(\ell \)-server PIR scheme. Let \(T\subseteq [\ell ]\) be a subset. Let f be a function which takes \((\textsf{que}_1,\ldots ,\textsf{que}_\ell )\in (\{0,1\}^{c_\textsf{que}})^\ell \) and \(\boldsymbol{a}\in \{0,1\}^n\) as input, and outputs \((\widetilde{\textsf{ans}}_1,\ldots ,\widetilde{\textsf{ans}}_\ell )\in (\{0,1\}^{c_\textsf{ans}})^\ell \). We say that f is a tampering function for \(\varPi \) with respect to T if for each \(i\in [\ell ]\), it holds that

$$\begin{aligned} \widetilde{\textsf{ans}}_i= {\left\{ \begin{array}{ll} \mathcal {A}(i,\textsf{que}_i,\boldsymbol{a}),&{}\text {if}~i\notin T,\\ f_i(\{\textsf{que}_{i'}\}_{i'\in T},\boldsymbol{a}),&{}\text {if}~i\in T, \end{array}\right. } \end{aligned}$$

for some function \(f_i\). We denote the family of all such tampering functions by \(\mathcal {F}_{T}^\varPi \).

Definition 8

(Error-correcting PIR). We say that an \(\ell \)-server PIR scheme \(\varPi =(\mathcal {Q},\mathcal {A},\mathcal {D})\) is \((1-\epsilon _{\textrm{EC}})\)-error-correcting with respect to T if for any \(\boldsymbol{a}=(a_1,\ldots ,a_n)\in \{0,1\}^n\), any \(\tau \in [n]\) and any \(f\in \mathcal {F}_{T}^\varPi \), it holds that

$$\text{IMAGE}$$

where \((\textsf{que}_1,\ldots ,\textsf{que}_\ell ;\textsf{aux})=\mathcal {Q}(\tau ;r)\). We say that an \(\ell \)-server PIR scheme \(\varPi \) is \((b;1-\epsilon _{\textrm{EC}})\)-error-correcting if it is \((1-\epsilon _{\textrm{EC}})\)-error-correcting with respect to any \(T\subseteq [\ell ]\) of size b.

Definition 9

(Error-detecting PIR). We say that an \(\ell \)-server PIR scheme \(\varPi =(\mathcal {Q},\mathcal {A},\mathcal {D})\) is \((1-\epsilon _{\textrm{ED}})\)-error-detecting with respect to T if the following conditions hold:

• \(\varPi \) is \((1-\epsilon _{\textrm{ED}})\)-correct.

• \(\mathcal {D}\) is allowed to output a special symbol \(\bot \) and it holds that for any \(\boldsymbol{a}=(a_1,\ldots ,a_n)\in \{0,1\}^n\), any \(\tau \in [n]\) and any \(f\in \mathcal {F}_{T}^\varPi \),

  $$\text{IMAGE}$$

  where \((\textsf{que}_1,\ldots ,\textsf{que}_\ell ;\textsf{aux})=\mathcal {Q}(\tau ;r)\).

We say that an \(\ell \)-server PIR scheme \(\varPi \) is \((b;1-\epsilon _{\textrm{ED}})\)-error-detecting if it is \((1-\epsilon _{\textrm{ED}})\)-error-detecting with respect to any subset T of size b.

Fig. 3.

The query algorithm of the PIR scheme \(\varPi \) in Theorem 2

Fig. 4.

The answer algorithm of \(\varPi \)

Fig. 5.

The reconstruction algorithm of \(\varPi \)

B Proof of Theorem 2

Let \(\mathcal {I}=\{(i,j)\in [k]^2:i\ne j\}\). Let \(\varPi \) be a k-server PIR scheme \(\varPi =(\mathcal {Q},\mathcal {A},\mathcal {D})\) described in Figs. 3, 4 and 5.

Communication complexity. The communication complexity of \(\varPi \) is at most

$$\begin{aligned} \lambda (2c_{0}+O(\log k))&=O(\lambda (c_{0}+\log k)). \end{aligned}$$

Correctness. Assume that all servers are honest. Let \(\boldsymbol{a}\in \{0,1\}^n\) be a database and \(\tau \in [n]\) be a client’s index. Let \(\nu \in [\lambda ]\). We show that the value \(z^{(\nu )}\) computed at Step 2(b) of \(\mathcal {D}\) is 0 or 1 with probability 1 and is equal to \(a_\tau \) with probability at least \(1-\epsilon \). If so, the union bound implies that it holds that \(\{z^{(\nu )}:\nu \in [\lambda ]\}=\{a_\tau \}\) with probability at least \(1-\lambda \epsilon \), which shows the \((1-\epsilon _{\textrm{ED}})\)-correctness of \(\varPi \).

Assume that \(b^{(\nu )}=0\). We can deal with the other case of \(b^{(\nu )}=1\) similarly. Observe that the first row of \(\boldsymbol{Q}^{(\nu )}\) is

$$\begin{aligned} \textsf{row}_1^{(j)}=\left( (1,\textsf{que}_{1,1}^{(\nu )}),\ldots ,(k,\textsf{que}_{1,k}^{(\nu )})\right) . \end{aligned}$$

Since all servers are honest, the first row of \(\boldsymbol{A}^{(\nu )}\) is

$$\begin{aligned} (\widetilde{\textsf{ans}}_{1,1}^{(\nu )},\ldots ,\widetilde{\textsf{ans}}_{1,k}^{(\nu )};\textsf{aux}_1^{(\nu )})=\left( \mathcal {A}(1,\textsf{que}_{1,1}^{(\nu )},\boldsymbol{a}),\ldots ,\mathcal {A}(k,\textsf{que}_{1,k}^{(\nu )},\boldsymbol{a});\textsf{aux}_1^{(\nu )}\right) . \end{aligned}$$

The \((1-\epsilon )\)-correctness of \(\varPi _0\) implies that

$$\begin{aligned} y^{(\nu )}=\mathcal {D}_0(\widetilde{\textsf{ans}}_{1,1}^{(\nu )},\ldots ,\widetilde{\textsf{ans}}_{1,k}^{(\nu )};\textsf{aux}_1^{(\nu )})=a_\tau \end{aligned}$$

with probability \(1-\epsilon \).

If the client chooses \((i,j)\in \mathcal {I}\) at Step 1(b) of \(\mathcal {Q}\), the (2, i)-th entry of \(\boldsymbol{Q}^{(\nu )}\) is equal to the (2, j)-th entry of \(\boldsymbol{Q}^{(\nu )}\), which is \((j,\textsf{que}_{2,j}^{(\nu )})\). Since Servers i and j are honest, it holds that

$$\begin{aligned} \widetilde{\textsf{ans}}_{2,i}^{(\nu )} =\mathcal {A}_0(j,\textsf{que}_{2,j}^{(\nu )},\boldsymbol{a}) =\widetilde{\textsf{ans}}_{2,j}^{(\nu )}. \end{aligned}$$

Hence, at Step 2(b), the equality holds with probability 1.

Therefore, \(z^{(\nu )}\) is always set to \(y^{(\nu )}\in \{0,1\}\), which is equal to \(a_\tau \) with probability \(1-\epsilon \).

Privacy. Observe that a query vector \((\textsf{que}_i)_{i\in [k]}\) generated by \(\mathcal {Q}\) contains nothing more than \(2\lambda \) independent query vectors \((\textsf{que}_{m,i}^{(\nu )})_{i\in [k]}\) (\(m\in \{1,2\},\nu \in [\lambda ]\)), each generated by \(\mathcal {Q}_0\). Therefore, the t-privacy of \(\varPi \) follows from that of \(\varPi _0\).

Error Detection. We prove that \(\varPi \) is \((b;1-\epsilon _{\textrm{ED}})\)-error-detecting. Let \(\boldsymbol{a}\in \{0,1\}^n\) and \(\tau \in [n]\). Without loss of generality, we may assume that the server \(\textsf{S}_1\) is honest. Let \(T=[k]\setminus \{1\}\) and \(f\in \mathcal {F}_{T}^\varPi \) be a tampering function for \(\varPi \) with respect to T.

Let \(\mathcal {I}_0=\mathcal {I}\times \{0,1\}\). Let \(\mathfrak {R}_{\mathcal {Q}}\) denote the set of all random strings for \(\mathcal {Q}\), that is, \(\mathcal {I}_0^\lambda \times (\mathfrak {R}_{\mathcal {Q}_0}^N)^\lambda \). We suppose that any \((\pi ,r)\in \mathfrak {R}_{\mathcal {Q}}\) is decomposed into \(\pi =(i^{(\nu )},j^{(\nu )},b^{(\nu )})_{\nu \in [\lambda ]}\) and \(r=(r_m^{(\nu )})_{m\in \{1,2\},\nu \in [\lambda ]}\), where \((i^{(\nu )},j^{(\nu )},b^{(\nu )})\in \mathcal {I}_0\) and \(r_m^{(\nu )}\in \mathfrak {R}_{\mathcal {Q}_0}\). We naturally identify any event \(\textsf{A}\) with a subset of \(\mathfrak {R}_{\mathcal {Q}}\) consisting of all random strings on which \(\textsf{A}\) occurs.

Let \(\textsf{E}\) denote the event in which \(\mathcal {D}_0\) outputs an incorrect value even if all servers are honest. Formally, we define

where \(((\textsf{que}_{m,i}^{(\nu )})_{i\in [k]};\textsf{aux}_m^{(\nu )})={\mathcal {Q}_0}(\tau ;r_m^{(\nu )})\) for any \(m\in \{1,2\},\nu \in [\lambda ]\). The \((1-\epsilon )\)-correctness of \(\varPi _0\) implies that \(\textsf{E}\) occurs with probability at most \(2\lambda \epsilon \). Let

$$\begin{aligned} \mathfrak {R}_{\textsf{E}}=\{r\in (\mathfrak {R}_{\mathcal {Q}_0})^\lambda :\exists \pi \in \mathcal {I}_0^\lambda ,(\pi ,r)\in \textsf{E}\}. \end{aligned}$$

For any \((\pi ,r)\in \mathfrak {R}_{\mathcal {Q}}\), let \(w(\pi ,r)\in \{0,1,\bot \}\) denote the value outputted by the client when \((\pi ,r)\) is used to generate queries. Let \(\textsf{F}\) denote the set of all \((\pi ,r)\)’s such that \(w(\pi ,r)=1-a_\tau \).

Let R be the random variable representing . We have that

(1)

Fix \(r\notin \mathfrak {R}_{\textsf{E}}\). For every \(\nu \in [\lambda ]\), let \(\textsf{F}^{(\nu )}\) be the event conditioned on \(R=r\) that \(z^{(\nu )}=1-a_\tau \) at the \(\nu \)-th iteration of Step 2 of \(\mathcal {D}\). We have that

(2)

Furthermore, we have that

(3)

Fix \(\pi ^{(1)},\ldots ,\pi ^{(\nu -1)},\pi ^{(\nu +1)},\ldots ,\pi ^{(\lambda )}\in \mathcal {I}_0\). For ease of reading, let \(\textsf{COND}\) denote the condition of the probability (3). Define an event \(\textsf{BAD}\) that the client picks \(\pi ^{(\nu )}=(i^{(\nu )},j^{(\nu )},b^{(\nu )})\in \mathcal {I}_0\) such that \(i^{(\nu )}\ne 1\). In other words, \(\textsf{BAD}\) means that the client fails to guess that \(\textsf{S}_1\) is honest. Then, we have that

(4)

We will show that

(5)

Let X denote the set of all \(\pi ^{(\nu )}\in \mathcal {I}_0\) such that

• \(\pi ^{(\nu )}\in \overline{\textsf{BAD}}\), i.e., it has the form of \(\pi ^{(\nu )}=(1,j^{(\nu )},b^{(\nu )})\);

• \(\textsf{COND}\) occurs on \(\pi ^{(\nu )}\), i.e., it holds that

  $$\begin{aligned} \pi :=(\pi ^{(1)},\ldots ,\pi ^{(\nu -1)},\pi ^{(\nu )},\pi ^{(\nu +1)},\ldots ,\pi ^{(\lambda )})\in \textsf{F}^{(1)}\cap \cdots \cap \textsf{F}^{(\nu -1)}. \end{aligned}$$

Let Y denote a subset consisting of all \(\pi ^{(\nu )}\in X\) satisfying \(\pi \in \textsf{F}^{(1)}\cap \cdots \cap \textsf{F}^{(\nu -1)}\cap \textsf{F}^{(\nu )}\).

If \(X=\emptyset \), then (5) clearly holds. If \(X\ne \emptyset \), choose \(\pi ^{(\nu )}=(1,j^{(\nu )},b^{(\nu )})\in X\) arbitrarily. Denote the queries sent to the malicious servers \(\textsf{S}_2,\ldots ,\textsf{S}_k\) when \(\pi ^{(\nu )}\) is picked at Step 1(b) of \(\mathcal {Q}\), by

$$\begin{aligned} (2,\textsf{que}_{1,2}^{(\mu )}),\ldots ,(k,\textsf{que}_{1,k}^{(\mu )}), (2,\textsf{que}_{2,2}^{(\mu )}),\ldots ,(k,\textsf{que}_{2,k}^{(\mu )}),~\mu \in [\lambda ] \end{aligned}$$

(6)

We can see that if another \((1,j,b)\in \mathcal {I}_0\) is picked, the queries sent to the malicious servers are the same as (6). Since the tampering function f is deterministic, the answers returned by them are also the same regardless of what is picked as \((j^{(\nu )},b^{(\nu )})\) at Step 1(b) of \(\mathcal {Q}\). Therefore, if \(\textsf{COND}\) occurs on \(\pi ^{(\nu )}\), \(\textsf{COND}\) occurs on every \((1,j,b)\in \mathcal {I}_0\). In particular, we have that \(|X|=2(k-1)\) if \(X\ne \emptyset \).

We have seen that the answers returned by the malicious servers \(\textsf{S}_2,\ldots ,\textsf{S}_k\) are the same for any \(\pi ^{(\nu )}\in X\). We denote the answers by

$$\begin{aligned} \widetilde{\textsf{ans}}_{1,2}^{(\nu )},\ldots ,\widetilde{\textsf{ans}}_{1,k}^{(\nu )}, \widetilde{\textsf{ans}}_{2,2}^{(\nu )},\ldots ,\widetilde{\textsf{ans}}_{2,k}^{(\nu )}. \end{aligned}$$

If all of them are correct, i.e., \(\widetilde{\textsf{ans}}_{m,j}^{(\nu )}=\mathcal {A}_0(j,\textsf{que}_{m,j}^{(\nu )},\boldsymbol{a})\), we obtain that \(Y=\emptyset \). This is because at one of the rows of \(\boldsymbol{A}^{(\nu )}\), the client computes

$$\begin{aligned} y^{(\nu )}=\mathcal {D}_0(\widetilde{\textsf{ans}}_{m,1}^{(\nu )},\ldots ,\widetilde{\textsf{ans}}_{m,k}^{(\nu )};\textsf{aux}_m^{(\nu )}). \end{aligned}$$

Since we assume \(\textsf{E}\) does not occur, i.e., \(r\notin \mathfrak {R}_{\textsf{E}}\), an outcome of \(\mathcal {D}_0\) never results in \(1-a_\tau \) and hence \(\textsf{F}^{(\nu )}\) never occurs. Assume that there exist \(m\in \{1,2\}\) and \(j\in \{2,3,\ldots ,k\}\) such that

$$\begin{aligned} \widetilde{\textsf{ans}}_{m,j}^{(\nu )}\ne \mathcal {A}_0(j,\textsf{que}_{m,j}^{(\nu )},\boldsymbol{a}). \end{aligned}$$

We can see that \((1,j,1)\notin Y\) if \(m=1\), and that \((1,j,0)\notin Y\) if \(m=2\). To see this, consider the case of \(m=1\). If \(j^{(\nu )}=j\) and \(b^{(\nu )}=1\) are picked at Step 1(b) of \(\mathcal {Q}\), the client detects errors (i.e., outputs \(\bot \)) since he finds the inconsistency

$$\begin{aligned} \widetilde{\textsf{ans}}_{1,1}^{(\nu )}=\mathcal {A}_0(j,\textsf{que}_{1,j}^{(\nu )},\boldsymbol{a})\ne \widetilde{\textsf{ans}}_{1,j}^{(\nu )}. \end{aligned}$$

The other case of \(m=2\) is similar. Therefore, if \(X\ne \emptyset \),

$$\text{IMAGE}$$

which implies (5).

Finally, we obtain from (3) and (4) that

$$\text{IMAGE}$$

and hence (2) implies that

$$\text{IMAGE}$$

Therefore, the \((b;1-\epsilon _{\textrm{ED}})\)-error detection follows from (1) and

$$\text{IMAGE}$$

C Proof of Lemma 1

Define \(\varPi \) as follows:

• Iterate \(\varPi _0\) \(\lambda \) times in parallel.

• Let \(y_i\in \{0,1\}\) be the output of the i-th iteration of \(\varPi _0\) for \(i\in [\lambda ]\). If there exists \(y\in \{0,1\}\) such that \(|\{i:y_i=y\}|>|\{i:y_i=1-y\}|\), output y. Otherwise, output 0.

Clearly, the communication complexity of \(\varPi \) is \(\lambda \) times larger than that of \(\varPi _0\) and the t-privacy of \(\varPi \) directly follows from that of \(\varPi _0\). Let \(\boldsymbol{a}\in \{0,1\}^n\) be a database and \(\tau \in [n]\) be a client’s index. The outputs of \(\varPi _0\) are independent and each output is equal to \(a_\tau \) with probability \(1-\epsilon _0\).

Let \(X_i\) be a random variable over \(\{0,1\}\) defined as \(X_i=1\) if and only if \(y_i=a_\tau \). \(X_1,\ldots ,X_\lambda \) are i.i.d. random variables such that . It then follows from the Chernoff bound that

$$\text{IMAGE}$$

The last inequality follows from

$$\begin{aligned} \frac{1}{2}\ln (4\epsilon _0(1-\epsilon _0))&=\frac{1}{2}\ln (1-4x^2)\le -2x^2, \end{aligned}$$

where \(x=1/2-\epsilon _0\).

D Proof of Theorem 3

For \(\varPi _0=(\mathcal {Q}_0,\mathcal {A}_0,\mathcal {D}_0)\), we consider a PIR scheme \(\varPi =(\mathcal {Q},\mathcal {A},\mathcal {D})\) where \((\mathcal {Q},\mathcal {A})\) runs N independent instances of \((\mathcal {Q}_0,\mathcal {A}_0)\) between a client and every subset of k servers and \(\mathcal {D}\) is defined as follows: For each of N executions of \((\mathcal {Q}_0,\mathcal {A}_0)\), \(\mathcal {D}\) runs \(\mathcal {D}_0\) on the corresponding input and adds the output to a list \(\mathcal {L}\). If \(\mathcal {L}=\{s\}\) or \(\mathcal {L}=\{s,\bot \}\) for some \(s\in \{0,1\}\), then \(\mathcal {D}\) outputs s and otherwise outputs 0. The communication complexity of \(\varPi \) is Nc. Since each execution of \(\mathcal {Q}_0\) is done independently, \(\varPi \) is also t-private.

We prove that \(\varPi \) is \((b;1-\epsilon _{\textrm{EC}})\)-error-correcting for \(\epsilon _{\textrm{EC}}=N\epsilon _{\textrm{ED}}\). Let \(\boldsymbol{a}\in \{0,1\}^n\) and \(\tau \in [n]\). Let \(H\in \left( {\begin{array}{c}[\ell ]\\ k\end{array}}\right) \) be a set of honest servers. Let \(f\in \mathcal {F}_{\overline{H}}^\varPi \) be a tampering function for \(\varPi \) with respect to \(\overline{H}\).

Let \(A_1, \ldots , A_N\) be all k-sized subsets of \([\ell ]\) such that \(A_1=H\). Let \(\varPi _0^{(j)}\) denote the instance of \(\varPi _0\) executed by the client and servers in \(A_j\). During the execution of \(\varPi _0^{(j)}\), the client generates

$$\begin{aligned} {\mathcal {Q}_0}(\tau ;r_j) = ((\textsf{que}_i^{(j)})_{i \in A_j};\textsf{aux}^{(j)}), \end{aligned}$$

where \(r_j\in \mathfrak {R}_{\mathcal {Q}_0}\) and \(\textsf{que}_i^{(j)}\) is sent to \(\textsf{S}_i\). Then, \(\textsf{S}_i\) receives

$$\begin{aligned} \textsf{que}_i'=\{\textsf{que}_i^{(j)} : j\in [N]~\text {with}~ i \in A_j\}. \end{aligned}$$

In \(\varPi _0^{(1)}\), for any \(i \in A_1\), \(\textsf{S}_i\) returns

$$\begin{aligned} \widetilde{\textsf{ans}}_i^{(1)}=\textsf{ans}_i^{(1)}=\mathcal {A}_0(i,\textsf{que}_i^{(1)},\boldsymbol{a}). \end{aligned}$$

In each \(\varPi _0^{(j)}\) for \(j\ne 1\), any server \(\textsf{S}_i\) in \(A_j\) returns

$$\begin{aligned} \widetilde{\textsf{ans}}_i^{(j)}= {\left\{ \begin{array}{ll} \textsf{ans}_i^{(j)}=\mathcal {A}_0(i,\textsf{que}_i^{(j)},\boldsymbol{a}),&{}\text {if}~i\in H,\\ f_i^{(j)}(\{\textsf{que}'_{i'}\}_{i'\in \overline{H}},\boldsymbol{a}),&{}\text {otherwise}, \end{array}\right. } \end{aligned}$$

where \(f_i^{(j)}\) is a function determined by f. It then follows from our definition of \(\mathcal {D}\) that

$$\text{IMAGE}$$

Therefore it is enough to show that

for any \(j\in [N]\setminus \{1\}\).

Let \(j\in [N]\setminus \{1\}\). Fix \(r_{-j}=(r_m)_{m\in [N]\setminus \{j\}}\) arbitrarily. Then \(\textsf{que}_i^{(m)}\) is a fixed constant for any \(m\in [N]\setminus \{j\}\) and \(i\in A_m\). Therefore for \(i\in A_j\), we can write

$$ \widetilde{\textsf{ans}}_i^{(j)} = f_i^{(j)}(\{\textsf{que}'_{i'}\}_{ i' \in \overline{H}},\boldsymbol{a}) = g_{i,r_{-j}}(\{\textsf{que}_{i'}^{(j)}\}_{ i' \in \overline{H}\cap S_j},\boldsymbol{a}) $$

using some function \(g_{i,r_{-j}}\). Let \(\mathcal {X}_{-j}\) denote the random variable which represents \(r_{-j}\). Since \(|\overline{H}\cap A_j|\le b\) and \(\varPi _0\) is \((b,t;1-\epsilon _{\textrm{ED}})\)-error-detecting, we have that

$$\text{IMAGE}$$

E Proof of Theorem 5

For \(\boldsymbol{a}=(a_1,\ldots ,a_n)\in \{0,1\}^n\), define \(\boldsymbol{a}^*=(a_1^*,\ldots ,a_n^*)\in \{0,1\}^n\) as the same database as \(\boldsymbol{a}\) except that \(a_1^*=1-a_1\). Let \(B\subseteq [\ell ]\) be a subset of size b and let \(B'=[\ell ]\setminus B\). Let f be a tampering function such that \(f(\textsf{que}_1,\ldots ,\textsf{que}_\ell ,\boldsymbol{a})=(\widetilde{\textsf{ans}}_i)_{i\in [\ell ]}\), where

$$\begin{aligned} \widetilde{\textsf{ans}}_i&= {\left\{ \begin{array}{ll} \mathcal {A}(i,\textsf{que}_i,\boldsymbol{a}),~&{}\text {if}~i\notin B,\\ \mathcal {A}(i,\textsf{que}_i,\boldsymbol{a}^*),~&{}\text {if}~i\in B.\\ \end{array}\right. } \end{aligned}$$

for any \(i\in [\ell ]\) and \(\textsf{que}_i\in \{0,1\}^{c_\textsf{que}}\). Also, let \(f'\) be a tampering function such that \(f'(\textsf{que}_1,\ldots ,\textsf{que}_\ell ,\boldsymbol{a})=(\widetilde{\textsf{ans}}_i')_{i\in [\ell ]}\), where

$$\begin{aligned} \widetilde{\textsf{ans}}_i'&= {\left\{ \begin{array}{ll} \mathcal {A}(i,\textsf{que}_i,\boldsymbol{a}),~&{}\text {if}~i\notin B',\\ \mathcal {A}(i,\textsf{que}_i,\boldsymbol{a}^*),~&{}\text {if}~i\in B'\\ \end{array}\right. } \end{aligned}$$

for any \(i\in [\ell ]\) and \(\textsf{que}_i\in \{0,1\}^{c_\textsf{que}}\). Note that \(f\in \mathcal {F}_{B}^\varPi \) and \(f'\in \mathcal {F}_{B'}^\varPi \). Also note that \((\boldsymbol{a}^*)^*=\boldsymbol{a}\) and that \(i\notin B\) is equivalent to \(i\in B'\). Thus, we have that

$$\begin{aligned} f(\textsf{que}_1,\ldots ,\textsf{que}_\ell ,\boldsymbol{a})=f'(\textsf{que}_1,\ldots ,\textsf{que}_\ell ,\boldsymbol{a}^*) \end{aligned}$$

(7)

for any \(\boldsymbol{a}\in \{0,1\}^n\) and \(\textsf{que}_1,\ldots ,\textsf{que}_\ell \in \{0,1\}^{c_\textsf{que}}\).

Fix \(\boldsymbol{a}\in \{0,1\}^n\) arbitrarily. Define a subset S (resp. \(S'\)) of \(\mathfrak {R}_{\mathcal {Q}}\) as

$$\begin{aligned} S&=\{r\in \mathfrak {R}_{\mathcal {Q}}:\mathcal {D}(f(\textsf{que}_1,\ldots ,\textsf{que}_\ell ,\boldsymbol{a});\textsf{aux})=a_1\},\\ S'&=\{r\in \mathfrak {R}_{\mathcal {Q}}:\mathcal {D}(f'(\textsf{que}_1,\ldots ,\textsf{que}_\ell ,\boldsymbol{a}^*);\textsf{aux})=a^*_1\}, \end{aligned}$$

where \((\textsf{que}_1,\ldots ,\textsf{que}_\ell ;\textsf{aux})=\mathcal {Q}(1;r)\). It follows from Eq. (7) and \(a^*_1=1-a_1\ne a_1\) that \(S\cap S'=\emptyset \). On the other hand, since \(|B|=b\) and \(|B'|=\ell -b\le b\), the \((b;1-\epsilon _{\textrm{EC}})\)-error correction of \(\varPi \) implies that \(|S|\ge (1-\epsilon _{\textrm{EC}})|\mathfrak {R}_{\mathcal {Q}}|\) and \(|S'|\ge (1-\epsilon _{\textrm{EC}})|\mathfrak {R}_{\mathcal {Q}}|\). Therefore, we have that

$$\begin{aligned} |\mathfrak {R}_{\mathcal {Q}}|\ge |S\cup S'|=|S|+|S'|\ge 2(1-\epsilon _{\textrm{EC}})|\mathfrak {R}_{\mathcal {Q}}| \end{aligned}$$

and \(\epsilon _{\textrm{EC}}\ge 1/2\).