Equivalence of Non-Perfect Secret Sharing and
Symmetric Private Information Retrieval with
General Access Structure
Seunghoan Songa and Masahito Hayashib,a
a
Graduate School of Mathematics, Nagoya University
b
Shenzhen Institute for Quantum Science and Engineering, Southern University of Science and Technology
Email: m17021a@math.nagoya-u.ac.jp & hayashi@sustech.edu.cn
arXiv:2101.11194v1 [cs.CR] 27 Jan 2021
Abstract—We study the equivalence between non-perfect se-
cret sharing (NSS) and symmetric private information retrieval
(SPIR) with colluding and unresponsive servers. We prove the
equivalence between NSS and SPIR in the following two senses.
1) Given any SPIR protocol, we can construct an NSS protocol. 2)
Given any linear NSS protocol, we can construct a SPIR protocol.
From this equivalence relation, we prove that the capacity of n-
server SPIR with r responsive servers and r colluding servers is
(r − t)/n.
I. I NTRODUCTION
Secret sharing (SS) and private information retrieval (PIR)
are two extensively studied cryptographic protocols. SS [1],
[2] considers the problem in which a dealer encodes a secret
into n shares so that some subsets of shares can reconstruct the
secret but the other subsets have no information of the secret.
PIR [3] considers the problem in which a user retrieves one
of the multiple files from server(s) without revealing which
file is retrieved. Since PIR with one server has no efficient
solution [3], it has been extensively studied with multiple non-
communicating servers, and thus, in the following, we simply
denote multi-server PIR by PIR. SS and PIR have a similar
structure because the secrecy of both protocols is obtained
by partitioning confidential information and restricting access
to the partitioned information. On the other hand, the two
protocols have a different structure because, in SS, the secret is
both the confidential information and the message but in PIR,
the files are not confidential. From the similarity, there have
been several studies to construct PIR from secret sharing [4],
[5], [6]. However, the relationship between these two protocols
has not been explicitly discussed.
In this paper, we study a kind of equivalence relation
between an extended class of SS, called non-perfect SS (NSS),
and that of PIR, called symmetric PIR (SPIR). NSS is first
discussed by [8], [9] with thresholds, but in this paper, we
discuss NSS with general access structures, which have been
discussed [10], [11], [12], [13], [14]. NSS is defined with
two collections A, B ⊂ 2[n] := 2{1,...,n} which represents the
authorized sets and the forbidden sets, respectively. The shares
indexed by any element of A can reconstruct the secret but
those indexed by any element of B have no information of
the secret. We denote NSS with A and B by (A, B, n)-NSS.
The (A, B, n)-NSS is SS if B = [n] \ A.
SPIR [4] is a variant of PIR in which the user only obtains
the targeted file but no information of the other files. The paper
[4] proved that shared randomness of servers is necessary to
achieve SPIR. We consider SPIR with arbitrary colluding and
response patterns A, B ⊂ 2[n] . We define (A, B, n, f)-SPIR
by the n-server f-file SPIR with the following conditions:
i) the user correctly recovers the targeted file even if only
the servers indexed by A ∈ A answer to the user; ii) the
identity of the retrieved file is not leaked even if the servers
indexed by B ∈ B communicate; and iii) the user obtains
no other information than the targeted file in any case. If
A = {n} and B = [n], (A, B, n, f)-SPIR is the SPIR in
which no servers collude and all servers respond, which has
been discussed in [4], [15]. In existing studies, the paper
[16] discussed SPIR with t colluding servers, the papers [17],
[18] discussed PIR with t colluding servers and r responsive
servers, and the papers [17], [19], [20], [21], [22] discussed
PIR with arbitrary collusion pattern, which is given as B in
our definition. However, SPIR with arbitrary collusion and
response patterns have not been studied.
The first result of this paper is (A, B, n, f)-SPIR implies
(A, B, n)-NSS. Formally, we define (A, B, n, f)-SPIR and
(A, B, n)-NSS protocols with entropic measures of correctness
and secrecies. With abuse of notation, our theorem states
that an (A, B, n, f)-SPIR protocol with nearly perfect mea-
sures implies an (A, B, n)-NSS protocol with nearly perfect
measures. The proof idea is simply described as follows. To
construct an (A, B, n)-NSS protocol from a given (A, B, n, f)-
SPIR protocol, the dealer simulates (A, B, n, f)-SPIR protocol
with the secret of NSS as one of the files, and encodes the
n pairs of the queries and the answers as n shares. Then, the
shares indexed by A reconstruct the secret near-perfectly by
the SPIR’s correctness, and the shares indexed by B have no
information of the secret near-perfectly by the SPIR’s secrecy
conditions.
One interesting corollary of our first result is an upper bound
on the SPIR rate with arbitrary collusion and response patterns.
 TABLE I
D EFINITION OF SYMBOLS
Symbol SPIR Secret Sharing
n Number of servers Number of shares
f Number of files - any set or sequence A = {A1 , . . . , An } and any X ⊂ [n], we
m Bit size of one file Bit size of secret
r Number of responsive servers Reconstruction threshold
t Number of colluding servers Secrecy threshold
With abuse of notation, the PIR rate RPIR is defined as
(Bit size of the targeted file)
RPIR = .
(Bit size of all answers)
Similarly, the SS rate1 RSS is defined as
(Bit size of secret)
RSS = . (2)
(Bit size of maximum share)
In our conversion from SPIR to NSS, any SPIR protocol with
PIR rate RPIR is converted into an NSS protocol with SS
rate RSS = nRPIR . Since any (A, B, n)-NSS protocols satisfy
RSS ≤ δ(A, B) := min{|A − B| | A ∈ A, B ∈ B} [10], [11],
[12], [13] and the share size is the same for all shares in our
conversion, we obtain RPIR ≤ δ(A, B)/n for any (A, B, n, f)-
SPIR protocols. When A (B) consists of all subsets of [n] with
cardinality at least r (at most t), we obtain δ(A, B) = r−t, i.e.,
(A, B, n, f)-SPIR rate is upper bounded by (r−t)/n. Since the
protocol by Tajeddine et al. [18] achieves this PIR rate, our
upper bound proves that the capacity (i.e., the optimal rate) of
SPIR with r responses and t colluding servers is (r − t)/n.
The converse result is a weaker implication from linear
(A, B, n)-NSS to (A, B, n, f)-SPIR. Linear (A, B, n)-NSS is a
well-known class of NSS in which the encoding of the secret is
performed by a linear map of the secret and the randomness.
To prove this result, we define multi-target monotone span
programs (MMSP) with general access structure (A, B), which
we call (A, B, n)-MMSP. Similar to the result that SS is equiv-
alent to monotone span program [23], [24], [25], we prove
that the (A, B, n)-NSS is equivalent to (A, B, n)-MMSP. With
this equivalence, we give a construction of (A, B, n, f)-SPIR
from (A, B, n)-MMSP, which proves that linear (A, B, n)-
NSS implies (A, B, n, f)-SPIR.
The remainder of the paper is organized as follows. Sec-
tion II gives the definitions of NSS, SPIR, and related con-
cepts. Section III presents the main results of the paper.
Section IV proves the conversion from SPIR to NSS. Section V
proves the conversion from linear NSS to SPIR. Section VI
proves the equivalence of linear NSS protocols and MMSPs.
Section VII gives the optimal constructions of NSS and SPIR
with thresholds. Section VIII is the conclusion of the paper.
letters (e.g., a, b), sets by calligraphy letters (e.g., A, B),
parameters in protocols by sans serif lowercase letters (e.g.,
a, b), and matrices by sans serif upper letters (e.g., A, B). We
also denote [n, m] = {n, n + 1, . . . , m} and [n] = [1 : n]. For
denote AX := {Ai | i ∈ X }. For any matrix A ∈ n × m and
any X ⊂ [n], we denote AX is the restricted matrix by the
rows indexed by X . The finite field of order q is denoted by
Fq . For a set A, idA denotes the identity map on A.
II. F ORMAL DEFINITION OF NSS AND SPIR
(1)
In this section, we formally define SPIR, NSS, linear NSS,
and MMSP. For these definitions, we first define monotone
collections.
Definition 1 (Monotone collection). We call A ⊂ 2[n] an
monotone increasing collection if A ∈ A implies C ∈ A
for any A ⊂ C. We call B ⊂ 2[n] a monotone decreasing
collection if B ∈ B implies C ∈ A for any C ⊂ B.
A. Formal definition of symmetric private information re-
trieval (SPIR)
We formally describe a SPIR protocol with one user and n
servers as follows.
Definition 2 ((A, B, n, f)-SPIR). Files are given as a uniform
random variable M = (M1 , . . . , Mf ) ∈ Mf and m := |M|.
Each of n servers contains the files M . The servers share
uniform randomness T = (T1 , . . . , Tn ) ∈ T ⊂ T1 × · · · × Tn ,
which is independent of any other random variables, so that
the j-th server contains Tj . Let K ∈ [f] be the user’s input,
i.e., Mk is the targeted file when K = k.
A protocol Φm SPIR is described by the deterministic map-
pings f, g1 , . . . , gn , h in the following steps.
1) Query: Depending on the user’s private uniform random-
ness R ∈ R, the user prepares n queries by
Q = (Q1 , . . . , Qn ) = f (K, R) ∈ Q1 × · · · × Qn (3)
and sends the j-th query Qj to the j-th server.
2) Answer: The j-th server returns
Aj = gj (Qj , M, Tj ) ∈ Aj (4)
to the user.
3) Reconstruction: Let A = (A1 , . . . , An ) ∈ A := A1 ×· · ·×
An . For some X ⊂ [n], the user outputs
Y = hX (A, K, R) = h(A, K, R, X ) ∈ M. (5)

Notations: We denote random variables by uppercase letters
(e.g., A, B), and values of the random variables by lowercase
1 The SS rate and its inverse are often called information rate and informa-
tion ratio, respectively [26]. However, we call it SS rate to differentiate with
the PIR rate.
Let A, B ⊂ 2[n] be monotone increasing and decreasing
collections, respectively, such that A ∩ B = ∅. The protocol
ΦmSPIR is called an (A, B, n, f)-SPIR protocol with security
(α(Φm m m
SPIR ), β(ΦSPIR ), γ(ΦSPIR )) if the following conditions
are satisfied.
 • Correctness: 2) Reconstruction: The players indexed by X ⊂ [n] output

α(Φm
SPIR ) := max H(Mk |AX R, K = k). (6) Y = hX (SX ) = h(X , S) ∈ L. (11)
k∈[f],X ∈A

Let A, B ⊂ 2[n] be monotone increasing and decreasing

• Server secrecy:
collections, respectively, such that A ∩ B = ∅. The proto-
β(Φm col ΦmNSS is called an (A, B, n)-NSS protocol with security
SPIR ) := max I(A; M[f]\k |R, K = k). (7)
k∈[f] (α(Φm m
NSS ), β(ΦNSS )) if the following conditions are satisfied.

• User secrecy: • Correctness:

γ(Φm
SPIR ) := max I(K; QX ). (8) α(Φm
NSS ) := max H(L|SX ). (12)
X ∈B X ∈A

The PIR rate of the protocol Φm • Secrecy:

SPIR is defined as

log m β(Φm
NSS ) := max I(L; SX ). (13)
RPIR (Φm
SPIR ) := Pn . (9) X ∈B
j=1 log |Aj | The SS rate of the protocol Φm
NSS is defined as

If there is no confusion, we denote α(Φm m log m

SPIR ), β(ΦSPIR ),
m m
γ(ΦSPIR ), RPIR (ΦSPIR ) by α, β, γ, RPIR , respectively. If
(α, β, γ) = (0, 0, 0), the (A, B, n, f)-SPIR protocol has perfect
security. That is, the user can recover the targeted file MK
without error from the answers indexed by any X ∈ A, but
the servers indexed by X ∈ B obtain no information of K.
The achievable rate and capacity of (A, B, n, f)-SPIR is one
of our main interests.
Definition 3 (Achievability of (A, B, n, f)-SPIR). A PIR rate
R is achievable if there is a sequence of (A, B, n, f)-SPIR
protocols {Φm m
SPIR }m∈N such that RSPIR (ΦSPIR ) → R as m →
m m m
∞ and (α(ΦSPIR ), β(ΦSPIR ), γ(ΦSPIR )) = (0, 0, 0) .
Definition 4 (Capacity of (A, B, n, f)-SPIR). Capacity of
(A,B,n,f)
(A, B, n, f)-SPIR, CSPIR , is the supremum of the set of
achievable rates of (A, B, n, f)-SPIR.
As special cases, SPIR with thresholds is defined as follows.
Definition 5 ((r, t, n, f)-SPIR). When A = {X ⊂ [n] | |X | ≥
r} and B = {X ⊂ [n] | |X | ≤ t}, (A, B, n, f)-SPIR protocols
are called (r, t, n, f)-SPIR protocols.
B. Formal definition of non-perfect secret sharing (NSS)
We formally describe a protocol with one dealer and n
players as follows.
Definition 6 ((A, B, n)-NSS). A secret is given as a uniform
random variable L ∈ L and m := |L|. A protocol Φm NSS is
described by the deterministic mappings f, h in the following
steps.
1) Share distribution: Depending on the dealer’s private
uniform randomness R ∈ R, the dealer prepares n shares
by
S = (S1 , . . . , Sn ) = f (L, R) ∈ S1 × · · · × Sn ,
and sends the j-th share Sj to the j-th player.
RSS (Φm
NSS ) := . (14)
maxj∈[n] log |Sj |
If there is no confusion, we denote α(Φm m
NSS ), β(ΦNSS ),
m
RSS (ΦNSS ) by α, β, RSS , respectively. If (α, β) = (0, 0), the
(A, B, n)-NSS protocol has perfect security in the sense that
the players indexed by any X ∈ A can recover L without error,
but the players indexed by any X ∈ B obtain no information
of L.
The achievable rate and capacity of (A, B, n)-NSS are
defined as follows.
Definition 7 (Achievability of (A, B, n)-NSS). A SS rate R is
achievable if there is a sequence of (A, B, n)-NSS protocols
{Φm m
NSS }m∈N such that RSS (ΦNSS ) → R as m → ∞ and
m m
(α(ΦNSS ), β(ΦNSS )) = (0, 0).
Definition 8 (Capacity of (A, B, n)-NSS). Capacity of
(A,B,n)
(A, B, n)-NSS, CNSS , is the supremum of the set of achiev-
able rates of (A, B, n)-NSS.
As special cases, NSS with thresholds is defined as follows.
Definition 9 ((r, t, n)-NSS). When A = {X ⊂ [n] | |X | ≥ r}
and B = {X ⊂ [n] | |X | ≤ t}, (A, B, n)-NSS protocols are
called (r, t, n)-NSS protocols.
C. Formal definition of linear NSS and multi-target monotone
span program (MMSP)
Definition 10 (Linear NSS). Suppose that the secret L is
prepared as L = (L1 , . . . , Lx ) ∈ Fxq , and the dealer’s private
randomness R is prepared as R = (R1 , . . . , Ry ) ∈ Fyq . A
protocol Φm NSS is called a linear NSS protocol if the encoder
f is a linear map from Fx+y to Fzq that maps (Z1 , . . . , Zz ) =
q
f (L1 , . . . Lx , R1 , . . . , Ry ) and the j-th secret is generated by
Sj = (Zi | i ∈ τ (j)) with a map τ : [z] → [n].
(10)
We define multi-target monotone programs (MMSP) [26]
with authorized and forbidden sets as follows.
Definition 11 (Multi-target monotone span program (MMSP)).
Given positive integers n, x, y, z, a pair P = (G, τ ) of a matrix
z×(x+y)
G = (G′ , G′′ ) ∈ Fq = Fqz×x × Fqz×y and a map τ : [z] →
[n] is called a multi-target monotone span program (MMSP).
Let ei be the vector with 1 in the i-th coordinate and 0 in the
others. Let E := {e1 , . . . , ex } and A, B ⊂ 2[n] be monotone
increasing and decreasing collections, respectively, such that
A ∩ B = ∅. We call
• P accepts A if E is included in the row space of Gτ −1 (X )
for any X ∈ A, and
• P rejects B if the set Gτ −1 (X ) ∩E is linearly independent
for any X ∈ B.
We call an MMSP P that accepts A and rejects B (A, B, n)-
MMSP. We call the ratio x/z the MMSP rate RMMSP .
As special cases, we define (A, B, n)-MMSPs with thresh-
old as follows.
Definition 12 ((r, t, n)-MMSP). When A = {X ⊂ [n] | |X | ≥
r} and B = {X ⊂ [n] | |X | ≤ t}, (A, B, n)-MMSPs are
called (r, t, n)-MMSPs.
Remark 1. The paper [26] defined MMSP for the case
A ∪ B = 2[n] and A ∩ B = ∅, i.e., every subset of [n] is
either authorized or forbidden. When x = 1, MMSPs are called
monotone span programs [24].
Remark 2 (Relation between (r, t, n)-MMSPs and maximum
distance separable (MDS) codes). (r, t, n)-MMSPs are related
with maximum distance separable (MDS) codes. The column
space of a matrix A ∈ Fqn×k is called an (n, k)-MDS code if
any k rows of A are linearly independent, and the matrix A
is called the generator matrix of the MDS code. In addition
to its direct application to error-correction, the MDS code has
many applications in private information retrieval [27], [28],
[29], [37], [18], secret sharing [1], [9], wiretap channel II [30],
secure network coding [31], [32], and cryptography [33].
Suppose that an (r, t, n)-MMSP is defined with the con-
ditions τ := id[n] and (x, y, z) := (r − t, t, n). Then, G =
n×(r−t)
(G′ , G′′ ) ∈ Fq × Fqn×t . We can easily checked that G
′′
(G ) is the generator matrix of an (n, r)-MDS code ((n, t)-
MDS code) as follows. First, any t rows of G2 are linearly
independent from the rejection condition of the MMSP. Thus,
G′′ is the generator matrix of an (n, t)-MDS code. Also, we
can show that any r rows of G are linearly independent from
the acceptance condition of the MMSP and the MDS property
of G′′ . To be precise, without losing generality, we prove that
G[r] ∈ Fqr×r is invertible as follows.
The acceptance condition implies span E ⊂ span G[r] ,
where span denotes the linear span of vectors or the row span
of a matrix. Thus, span E ⊕span G[t] ⊂ span G[r] . On the other
hand, the rejection condition implies span G[t] ∩span E = {0}.
Thus, we have r = dim(span E ⊕ span G[t] ) ≤ dim G[r] ≤ r,
which implies G[r] is invertible.
III. M AIN R ESULTS
A. Conversion from SPIR to NSS
The following protocol converts a SPIR to an NSS.
Protocol 1. Let Φm SPIR be a SPIR protocol. Then, an NSS
protocol Φm m
NSS [ΦSPIR ] is constructed by showing the protocol
to calculate j-th share for j = 1, . . . , n. Let L be the secret
of the dealer. The dealer simulates Φm SPIR with K = 1 and
M1 := L. From this simulation of Φm SPIR , the dealer generates
queries Q1 , . . . , Qn and answers A1 , . . . , An . Then, the j-th
share is given as Sj := (Aj , Qj ).
Our first result is as follows.
Theorem 1. Let Φm SPIR be an (A, B, n, f)-SPIR protocol with
security (α, β, γ) and rate RPIR . Then, the NSS protocol
Φm m
NSS [ΦSPIR ] defined in Protocol 1 √
is an (A, B, n)-NSS
√ pro-
m
tocol ΦNSS with security (α, β + 4 2γ log m + 2h2 ( 2γ))
and SS rate RSS ≤ nRPIR , where h2 is the binary entropy
function h2 (p) = −p log p − (1 − p) log(1 − p).
In particular, we obtain the following corollary.
Corollary 1. If there is an (A, B, n, f)-SPIR protocol with
security (α, β, γ) = (0, 0, 0) and PIR rate RPIR , the SS
rate nRPIR is achievable for (A, B, n, f)-NSS with security
(α, β, γ) = (0, 0, 0).
We give the proof of Theorem 1 and Corollary 1 in
Section IV.
Remark 3. The same implication from SPIR to NSS of
Theorem 1 is also possible even for multi-round SPIR with
coded database by the same proof. However, for simplicity,
we only consider one-round protocol when all files replicated
in each server.
In the remainder of this section, we only discuss the case
(α, β, γ) = (0, 0, 0) for SPIR and (α, β) = (0, 0) for NSS. An
upper bound of SS rate for (A, B, n)-NSS is proved in [10],
[11], [12], [13].
Proposition 1 ([10], [11], [12], [13]). For A, B ⊂ 2[n] , let
δ(A, B) := min{|A − B| | A ∈ A, B ∈ B}. Any (A, B, n)-
NSS protocol satisfies
RSS ≤ δ(A, B). (15)
In particular, for (r, t, n)-NSS, RSS ≤ r − t.
As a corollary of Theorem 1 and Proposition 1, we obtain
an upper bound of the SPIR capacity.
Corollary 2. For A, B ⊂ 2[n] , let δ(A, B) := min{|A − B| |
A ∈ A, B ∈ B}. Then,
1 (A,B,n) 1
(A,B,n,f)
CSPIR ≤ C ≤ δ(A, B).
n NSS n
 Tajeddine et al. [18] constructed a protocol of • Answer: We concatenate the files as M =
symmetric/non-symmetric PIR from coded storage with (M1 , . . . , Mf )⊤ ∈ Ffx
q . The j-th server returns
colluding, byzantine, and unresponsive servers, with PIR rate
(r − k − 2b − t + 1)/n1 , where r is the number of responding Aj = Zτ −1 (j) M + G2,τ −1 (j) T ∈ F|τ
−1
(j)|
. (17)
q
servers, k is the code rate of the storage database, b is the
number of byzantine servers. When (k, b) = (1, 0), their
protocol is an (r, t, n, f)-SPIR protocol. Thus, we obtain the • Reconstruction: For some X ∈ [n], the user applies a
following proposition. reconstruction map hX so that hX (AX ) = Mk .
Proposition 2 ([18]). There exists an (r, t, n, f)-SPIR protocol
Our second theorem is as follows.
with PIR rate (r − t)/n.
Theorem 2. Let P be an (A, B, n)-MMSP with rate RMMSP .
Combining Corollary 2 and Proposition 2, we obtain the Then, the SPIR protocol Φm SPIR [P] defined in Protocol 2 is an
capacity of SPIR with r responsive servers and t colluding (A, B, n, f)-SPIR protocol ΦmSPIR for any f ≥ 2 with PIR rate
servers as follows. RPIR = RMMSP.
Corollary 3. The capacity of n-server SPIR with r responsive
We give the proof of Theorem 2 in Section V.
servers and t colluding servers is (r − t)/n.
Combining Theorem 2 and the equivalence of linear NSS
Remark 4. The SPIR capacity in Corollary 3 can also be
and MMSP (Theorem 3 in Section III-C), we obtain the
proved similar to the paper [28]. However, Corollary 3 is
following implication from linear NSS to SPIR.
directly obtained from the known results of NSS (Corollary 2)
and SPIR (Proposition 2). Corollary 4. Let Φm NSS be a linear (A, B, n)-NSS protocol.
There exists an (A, B, n, f)-SPIR protocol Φm
SPIR for any f ≥
Remark 5. As stated in Remark 3, Theorem 1 is also
2.
applicable to multi-round SPIR protocols. Since multi-round
SPIR capacity is greater than one-round SPIR capacity, our
result also implies that the multi-round capacity of (r, t, n)-
SPIR is (r − t)/n, i.e., the same as the one-round capacity. C. Equivalence of linear NSS and MMSP

B. Conversion from linear NSS to SPIR For the proof of Corollary 4, we prove the equivalence of
MMSP and linear NSS. The papers [23], [24], [25] proved
In this subsection, we prove the implication from linear the equivalence of linear SS protocols and monotone span
NSS to SPIR. As will be discussed in Section III-C, a linear programs (i.e., MMSPs with x = 1). Similarly, we prove
(A, B, n)-NSS protocol is equivalent to an (A, B, n)-MMSP the equivalence of linear NSS protocols and MMSPs by the
P = (G, τ ). Thus, we construct an (A, B, n, f)-SPIR protocol following conversions.
from an (A, B, n)-MMSP.
Protocol 3. Suppose a linear NSS protocol is defined with a
First, we define a SPIR protocol from an MMSP. linear encoder f : Fx+y
q → Fzq and a map τ : [z] → [n]. Let
Protocol 2. Let P = (G, τ ) is an MMSP. We denote G = Gf be the matrix representation of the linear map f . Then, an
(G′ , G′′ ) ∈ Fqz×x × Fqz×y . Let f be an arbitrary positive integer MMSP P[Φm NSS ] := (Gf , τ ) is defined.
at least 2. An SPIR protocol Φm SPIR [P] is defined as follows. Protocol 4. Let P = (G, τ ) be an MMSP and fG be the linear
Let f be an arbitrary positive integer greater than 1. The map associated with G. Then, a linear NSS protocol Φm NSS [P]
f file are given as Mi ∈ Fxq . The shared randomness of the is defined with the linear encoder fG and the map τ .
servers is given as T ∈ Fyq . When K = k is fixed, we define Theorem 3. Given a linear (A, B, n)-NSS protocol Φm NSS , the
the query and the answer as follows. MMSP P[Φm NSS ] defined in Protocol 3 is an (A, B, n)-MMSP.
Conversely, given an (A, B, n)-MMSP protocol P, the NSS
• Query: Let Ek ∈ Fx×fx
q = Fx×x
q ×· · ·×Fx×x
q be the matrix
protocol Φm
NSS [P] defined in Protocol 4 is a linear (A, B, n)-
whose k-th block is the x × x identity matrix and other
NSS protocol.
blocks are zero. Let R be the uniform random matrix in
Fy×fx
q . The user prepares the query as
  We give the proof of Theorem 3 in Section VI.
Ek
Z=G = G′ Ek + G′′ R ∈ Fqz×fx . (16)
R
Depending on the index map τ , the user sends Zτ −1 (j) ∈ IV. C ONVERSION OF SPIR TO NSS
|τ −1 (j)|×fx
Fq to the j-th server.
1 In In this section, we prove Theorem 1 and Corollary 1. For
[18], the denominator is n − r since they did not counted the cost of
downloading answers from unresponsive servers. the proof, we prepare the following lemma.
Lemma 1. For any (A, B, n, f)-SPIR with correctness α, we Lastly, we construct a protocol satisfying both conditions 1)
′
have and 2). Let Φm SPIR be the (A, B, n, f)-SPIR protocol of PIR
rate RPIR satisfying condition 1). Let σ be the right cyclic
max H(Mk |AX Q, K = k) ≤ α (18) shift of [n], i.e., σ(i) = i + 1 for i ≤ n and σ(n) = 1.
k∈[f],X ∈A
′
Suppose we apply the protocol Φm SPIR n times and we denote
max I(AQ; M[f]\k |K = k) ≤ β (19) j
k∈[f] the answers at round j by A1 ∈ A1 , . . . , Ajn ∈ An . We modify
this n repetitions so that the answer from the i-th server is
Lemma 2. For any X ⊂ [f] such that |X | ≤ t, (Ajσj (i) | j ∈ [n]). Then, the total size of the answers from
Pn
each server are identically i=1 log |Ai |, which implies the
p p
I(M1 ; AX QX |K = 1) ≤ β + 4 2γ log m + 2h2 ( 2γ). ′
(20) condition 2). Condition 1) is also satisfied because Φm SPIR
already satisfies condition 1). This modified protocol is also
The proofs of Lemmas 1 and 2 are given in Appendices A a (A, B, n, f)-SPIR protocol and has the same PIR rate as
′
and B, respectively. ΦmSPIR .

Now, we prove Theorem 1 from Protocol 1.

Remark 6. In the proof of Corollary 1, conditions 1) and 2)
have also been considered in the previous PIR studies. The
Proof of Theorem 1. The correctness of the NSS protocol
proof idea of condition 1) is the motivation to define the PIR
Φm m
NSS [ΦSPIR ] is α from
√ (18), and the √secrecy condition of rate without considering the query cost [34], [35]. The idea
ΦNSS [Φm
m
SPIR ] is β + 4 2γ log m + 2h2 ( 2γ) from Lemma 2.
similar to condition 2) has been considered [29], [36] for the
Thus, the protocol Φm m
NSS [ΦSPIR
√ ] is an (A, B, n,
√f)-NSS proto- proof of the converse bound.
col with security (α, β + 4 2γ log m + 2h2 ( 2γ)). The SS
rate of Protocol 1 is Remark 7. Several known (r, t, n, f)-SPIR protocols, e.g.,
log m n log m [18], [27], [28], [37], satisfies the condition
RSS = = (21)
maxj∈[n] log |Sj | n maxj∈[n] log |Sj |
n log m n log m I(M1 ; A|K = 1) = 0 (24)
≤P = P (22)
j∈[n] log |Sj | j∈[n] log |Aj | + log |Qj |
n log m in addition to (20). Given these SPIR protocols, we can
≤P = nRPIR , (23) construct a more efficient NSS protocol than Protocol 1
j∈[n] log |Aj |
by replacing the j-th share Sj as Aj (without Qj ) from
which proves Theorem 1 for the case (α, β, γ) 6= (0, 0, 0). Protocol 1.

The proof of Corollary 1 is as follows.

V. C ONVERSION OF MMSP TO SPIR
Proof of Corollary 1. Given an (A, B, n, f)-SPIR protocol
ΦmSPIR with (α, β, γ) = (0, 0, 0) and the PIR rate RPIR , we In this section, the SPIR protocol Φm SPIR [P] defined in
construct an NSS protocol of which the SS rate is arbitrarily Protocol 2 from an (A, B, n)-MMSP P is an (A, B, n, f)-SPIR
close to nRPIR as follows. The key idea is to convert the protocol. For the proof of Theorem 3, we prepare the following
protocol Φm SPIR to another SPIR protocol of the same PIR proposition.
rate with two conditions: 1) the size of queries is negligible
to the size of the answers, and 2) the size of all answers are Proposition 3. For any uniform random variable X ∈ Fnq and
the same. Then, converting the SPIR protocol with conditions A ∈ Fm×n
q , we have H(AX) = rank A log q.
1) and 2) into an NSS protocol by Protocol 1, the equalities
of (22) and (23) hold. Thus, we obtain the desired statement. Now, we prove Theorem 2.
In the following, we show how to construct a SPIR protocol
with conditions 1) and 2) from Φm SPIR .
Proof of Theorem 2. First, we prove the correctness of the
To achieve the condition 1), the user and the servers apply SPIR protocol Φm SPIR [P]. Let X ∈ A. Since P accepts A, i.e.,
the answer and reconstruction steps of Φm SPIR multiple times the row space of Gτ −1 (X ) contains e1 , . . . , ex for any X ∈ A,
with the same queries. To be precise, when the SPIR protocol there exists a matrix K such that
Φm m
SPIR retrieves m-bit files, the same queries of ΦSPIR can be
used for the retrieval of xm-bit files by reusing the queries
x times. Then, by increasing x arbitrarily large, the size of KGτ −1 (X ) = (Ix , Ox×y ), (25)
queries becomes negligible to the size of the answers. This
modified protocol is also a (A, B, n, f)-SPIR protocol and has where Ix is the x × x identity matrix and Ox×y is the x × y zero
the same PIR rate as Φm SPIR . matrix. On the other hand, when the user receives the answers
indexed by X ⊂ [n], the collection of the answers is written Proof of Theorem 3. First, we prove that the MMSP P[Φm NSS ]
as defined in Protocol 3 from a linear (A, B, n)-NSS protocol is
an (A, B, n)-MMSP. We denote Gf = (G′f , G′′f ) ∈ Fqz×x Fqz×y .
AX = Zτ −1 (X ) M + G2,τ −1 (j) T (26) For any X ∈ B, the MMSP P[Φm NSS ] satisfies
= G′τ −1 (X ) Ek M + G′′τ −1 (X ) (RM + T) (27)
(a) (b)
= G′τ −1 (X ) Mk + G′′τ −1 (X ) T ′ (28) rank Gf,τ −1 (X ) log q = H(SX ) = H(SX |L = ℓ) (38)
 
Mk = H(G′f,τ −1 (X ) L + G′′τ −1 (X ) R|L = ℓ) (39)
= Gτ −1 (X ) ∈ F|X
q ,
|
(29)
T′ (c)
= H(G′′f,τ −1 (X ) R) = rank G′′f,τ −1 (X ) log q (40)
where T ′ := RM + T ∈ Fyq . Thus, by applying K to the where (a) and (c) are from Proposition 3 and (b) is from the
answers AX , the user obtains KAX = Mk correctly. The secrecy condition I(L; SX ) = 0 of the NSS protocol. Since
reconstruction map hX is defined as the associated linear map the fact that P rejects B is equivalent to
of K.
′ rank G′′f,τ −1 (X ) = rank Gf,τ −1 (X ) ∀X ∈ B, (41)
Server secrecy of Φm
SPIR [P] is proved as follows. Since T in
(29) is uniformly random, for any X ∈ [n], the user’s received Eq. (40) implies that P rejects B. Next, we prove that the
information (29) does not depend on the files except for Mk . MMSP P[Φm NSS ] accepts A. Let X ∈ A, i.e.,
User secrecy of Φm SPIR [P] is proved as follows. When the H(L|SX ) = 0. (42)
servers indexed by X ∈ B collude, the queries are written as
  Then, there exists a function h such that h(SX ) = L. That is,
Ek
Zτ −1 (X ) = Gτ −1 (X ) . (30)   
L
R h(SX ) = h Gτ −1 (X ) = L. (43)
R
From Lemma 3 and the uniform randomness of R, the distri-
bution of Zτ −1 (X ) does not depend on the value of k. Since (43) holds for any L ∈ Fxq and R ∈ Fyq , h is written
as a linear map from Im GX to Fxq and the associated matrix
The PIR rate is RPIR = x/z = RMMSP . x×|τ −1 (X )|
K h ∈ Fq satisfies
VI. E QUIVALENCE OF NSS AND MMSP Kh Gτ −1 (X ) = (Ix , Ox×y ), (44)

In this section, we prove Theorem 3. For the proof, we where Ix is the x × x identity matrix and Ox×y is the x × y
prepare the following lemma. zero matrix. Thus, the row space of Gτ −1 (X ) includes the row
space of (Ix , Ox×y ), which implies that the MMSP P[Φm NSS ]
Lemma 3. Let P = (G, τ ) be an (A, B, n)-MMSP. Let X ∈ accepts A.
Fxq and Y ∈ Fyq be uniform random vectors and
  Next, we prove that the linear NSS protocol Φm NSS [P]
X defined in Protocol 4 from an (A, B, n)-MMSP is a linear
Zτ −1 (X ) = Gτ −1 (X ) . (31)
Y (A, B, n)-NSS protocol. Since the linear encoding fG of the
Then, for any X ∈ B, linear NSS protocol ΦmNSS [P] is defined from the matrix G,
we have
H(Zτ −1 (X ) ) = H(Zτ −1 (X ) |X = x) (32)  
L1
for any x ∈ Fxq , i.e., I(Zτ −1 (X ) ; X) = 0.  .. 
   . 
Z1  
 ..   Lx 
Proof. The fact that P rejects B is equivalent to Z =  .  = G R1 
 (45)
Zz
 
 .. 
rank G′′τ −1 (X ) = rank Gτ −1 (X ) ∀X ∈ B. (33)  . 
Ry
From this relation, we obtain   
L1 R1
H(Zτ −1 (X ) |X = x) (34) ′  ..  ′′  .. 
= G  .  + G  . . (46)
= H(G′τ −1 (X ) x + G′′τ −1 (X ) R) (35) Lx Ry
(a)
= H(G′′τ −1 (X ) R) = rank G′′τ −1 (X ) log q (36) For any X ∈ [n], the collection of the shares indexed by X is
(b) written as
= rank Gτ −1 (X ) log q = H(Zτ −1 (X ) ), (37)    
L1 R1
where (a) and (b) are from Proposition 3. ′  ..  ′′  .. 
SX = Gτ −1 (X )  .  + Gτ −1 (X )  .  . (47)
Now, we prove Theorem 3. Lx Ry
Since the MMSP P accepts A, i.e., the row space of Gτ −1 (X ) VIII. C ONCLUSION
contains e1 , . . . , ex for any X ∈ A, there exists a matrix H ∈
Fx×z
q such that We have studied the equivalence relation between non-
  perfect secret sharing and symmetric private information re-
L1 trieval. We defined the two protocols with monotone increasing
 .. 
HSX =  .  , (48) and decreasing collections A and B, which represent the
Lx authorized and forbidden sets for non-perfect secret sharing
and the responsive and colluding servers for symmetric private
which implies the correctness condition H(L|SX ) = 0 information retrieval. We first showed that any SPIR protocols
(∀X ∈ A), i.e., the linear NSS Φm NSS [P] accepts A. On the can be converted into NSS protocols and the optimal achiev-
other hand, applying Lemma 3 for (X, Y ) := (L, R), the able rate of SPIR is upper bounded by that of NSS. Combining
protocol Φm NSS [P] satisfies the secrecy condition I(L; SX ) = an upper bound of NSS rates with the SPIR protocol by
I(L; Zτ −1 (X ) ) = 0 (∀X ∈ B). Tajeddine et al. [18], we proved the capacity of SPIR with
r responsive servers and t colluding servers are (r − t)/n. For
VII. O PTIMAL CONSTRUCTION OF (r, t, n)-NSS AND the converse part, we showed linear NSS implies SPIR. We
(r, t, n, f)-SPIR proved this implication by the equivalence of linear NSS and
multi-target monotone span program.
In this section, we construct (r, t, n)-NSS and (r, t, n, f)-
SPIR protocols with optimal rates from a (r, t, n)-MMSP. The
proposed protocols are already proposed by Yamamoto [9] and IX. ACKNOWLEDGEMENT
by Tajeddine et al. [18] (as a special case), but we construct
SS is supported by JSPS Grant-in-Aid for JSPS Fellows
these protocols from MMSPs.
No. JP20J11484. MH was supported in part by Guangdong
In the following, we assume that the size of the finite field Provincial Key Laboratory (Grant, No. 2019B121203002).
Fq is at least n. We define an MMSP P = (G, τ ) by the
Vandermonde matrix, which is also the generator matrix of A PPENDIX A
a Reed-Solomon code [38]. Let (x, y, z) = (r − t, t, n) and P ROOF OF L EMMA 1
τ = id[n] .
    For any K = k and X ∈ A, we have
1 α1 · · · αx+y−1 1 α1 · · · αr−1
1 α21 · · · α2x+y−1  1 α21 · · · α2r−1  H(Mk |AX Q) = H(Mk AX |Q) − H(AX |Q) (51)
G = . ..  =  .. ..  .
   
.. .. .. .. (a)
 .. . . .   . . . .  = H(Mk AX |RQ) − H(AX |RQ) (52)
z z n n
1 α1 · · · αx+y−1 1 α1 · · · αr−1 (b)
= H(Mk AX |R) − H(AX |R) (53)
Then, we can easily confirm that the MMSP P accepts A =
= H(Mk |AX R) (54)
{X ⊂ [n] | |X | ≥ r} and rejects B = {X ⊂ [n] | |X | ≤ t} as
(c)
follows. For any permutation π of [n], the matrices ≤ max H(Mk |AY R) ≤ α. (55)
  Y∈A
π(1) π(1)
1 α1 · · · αr−1
. .. .. ..  r×r
The equality (a) is from the fact that R − Q − A and
A=  .. . . .  ∈ Fq , (49) R−Q−AMk are Markov chains, respectively, i.e., H(A|R) =

π(r) π(r) H(A|RQ) and H(Mk A|R) = H(Mk A|RQ). The equality
1 α1 ··· αr−1
  (b) holds because Q = f (k, R) from the query step of Defi-
Ir−t ··· 0
π(1) π(1)  nition 2. The inequality (c) is from the correctness condition
1 α1 ··· αr−1 

r×r (6). By taking maximum over k ∈ [f], we obtain (18).
B=
 .. .. ..
.
..  ∈ Fq (50)
. . .  Similarly, from the Markov property of R − Q − A and
π(t) π(t)
1 α1 ··· αr−1 R − QM[f]\k − A, we obtain (19).
are invertible matrices. Eq. (49) guarantees the acceptance of
P because the row span of A is Frq and thus includes E = A PPENDIX B
{e1 , . . . , er−t }. Eq. (50) guarantees the rejection of P because P ROOF OF L EMMA 2
the first n − r rows of B are elements of E = {e1 , . . . , er−t }.
For the proof, we define the variational distance
Thus, the linear NSS protocol ΦmNSS [P] defined in Protocol 4 X
is an (r, t, n)-NSS protocol with the SS rate RSS = r − t, d(p, q) := |p(x) − q(x)|. (56)
and the SPIR protocol Φm SPIR [P] defined in Protocol 2 is an
x

(r, t, n)-SPIR protocol with the PIR rate RPIR = (r − t)/n. Throughout this section, we denote the distribution of a
Given t, r, n, these protocols are optimal from Proposition 1 random variable X by PX and the probability PX (x) by Px ,
and Corollary 3. i.e., subscript with the lowercase letter of X.
 First, we prepare the following proposition. where the inequality (c) holds since K − QX − M1 AX is
a Markov chain. Then, from Eq. (64) and the triangular
Proposition 4 (Classical Alicki-Fannes inequality [39]). Let
inequality, we obtain (58) as
X, Y be random variable on X , Y and p, q be P
probability dis- p
tributions on X × Y such that ǫ := 2d(p, q) = x,y |p(x, y) − 2γ ≥ d(pM1 AX QX |K=1 , pM1 AX QX ) (75)
q(x, y)|. Then, + d(pM1 AX QX |K=2 , pM1 AX QX ) (76)
|H(pX|Y ) − H(qX|Y )| ≤ 4ǫ log |X | + 2h2 (ǫ). (57) ≥ d(pM1 AX QX |K=1 , pM1 AX QX |K=2 ). (77)

Remark 8. In [39], Proposition 4 is originally proved for Step 2: Let

quantum systems and states. By restricting the quantum sys- p p
tems and states as classical systems and random variables, we g(γ, m) := 4 2γm + 2h2 ( 2γ). (78)
directly obtain Proposition 4. With this, we obtain

Now, we prove Lemma 2 |I(M1 ; AX QX |K = 1) − I(M1 ; AX QX |K = 2)| (79)

= |H(M1 |AX QX , K = 1) − H(M1 |AX QX , K = 2)| (80)
Proof of Lemma 2. We prove the lemma by two steps. (a) p p
≤ 4 2γ log |M| + 2h2 ( 2γ) (81)
Step 1: First, we prove = g(γ, m), (82)
p
d(PM1 AX QX |K=1 , PM1 AX QX |K=2 ) ≤ 2γ. (58) where (a) is obtained by combining Proposition 4 and (58).
Rearranging the inequality (82), we obtain the desired inequal-
For any X ∈ B, we have ity as
γ ≤ I(K; QX ) (59) I(M1 ; AX QX |K = 1) ≤ I(M1 ; AX QX |K = 2) + g(γ, m)
= D(PKQX kPK × PQX ) (60) ≤ I(M[f]\2 ; AQ|K = 2) + g(γ, m)
(a) X (b)
= PK=k D(PQX |K=k kPQX ) (61) ≤ β + g(γ, m),
k
where (b) is from (19).
X
≥2 PK=k d2 (PQX |K=k , PQX ) (62)
k
≥ max 2d2 (PQX |K=k , PQX ) (63) R EFERENCES
k
(b) [1] A. Shamir, “How to share a secret,” Communications of the ACM,
= max 2d2 (PM1 AX QX |K=k , PM1 AX QX ). (64) 22(11):612–613, 1979.
k
[2] G.R. Blakley, “Safeguarding Cryptographic Keys,” Managing Require-
ments Knowledge, International Workshop on (AFIPS), 48: 313–317,
The equality (a) is from 1979.
[3] B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan, “Private informa-
D(PKQX kPK × PQX ) (65) tion retrieval,” Journal of the ACM, 45(6):965–981, 1998.
X [4] Y. Gertner, Y. Ishai, E. Kushilevitz, and T. Malkin. “Protecting data
= PkqX (log PkqX − log Pk PqX ) (66) privacy in private information retrieval schemes,” Journal of Computer
k,qX and Systems Sciences, 60(3):592–629, 2000. Earlier version in STOC
X 98.
= Pk PqX |k (log PqX |k − log PqX ) (67) [5] A. Beimel, Y. Ishai, E. Kushilevitz, and I. Orlov, “Share Conversion
k,qX and Private Information Retrieval,” 2012 IEEE 27th Conference on
X Computational Complexity (CCC), 2012.
= Pk D(PQX |K kPQX ). (68) [6] L. Li, M. Militzer, and A. Datta, “rPIR: ramp secret sharing-based
k communication-efficient private information retrieval,” Int. J. Inf. Secur.
16, 603–625, 2017.
The equality (b) is from [7] H. Yang, W. Shin, and J. Lee, “Private Information Retrieval for
Secure Distributed Storage Systems,” IEEE Transactions on Information
Forensics and Security, pp.(99):1-1, 2018.
d(PM1 AX QX |K=k , PM1 AX QX ) (69) [8] G.R. Blakley and C.A. Meadows, “Security of ramp schemes,” CRYPTO
1X 1984, Lecture Notes in Computer Science 196, Springer, pp.242–268,
= |Pm1 aX qX |k − Pm1 aX qX | (70) 1985.
2 [9] H. Yamamoto, “On secret sharing systems using (k, L, n) threshold
1 X
scheme,” IECE. Trans., J68–A(9):945–952, 1985. (in Japanese). English
= |Pm1 aX |kqX PqX |k − Pm1 aX |qX PqX | (71) translation: Electronics and Communications in Japan, Part I, vol. 69,
2
(c) 1 X no. 9, pp. 46–54, Scripta Technica, Inc., 1986.
= |Pm1 aX |qX PqX |k − Pm1 aX |qX PqX | (72) [10] W. Ogata, K. Kurosawa, and S. Tsujii, “Nonperfect Secret Sharing
2 Schemes,” Advances in Cryptology, Auscrypt 92, Lecture Notes in
1X Comput. Sci., 718, 56–66, 1993.
= |PqX |k − PqX | (73) [11] K. Okada and K. Kurosawa, “Lower Bound on the Size of Shares of
2
Nonperfect Secret Sharing Schemes,” Advances in Cryptology, Asiacrypt
= d(PQX |K=k , PM1 AX QX ) (74) 94, Lecture Notes in Comput. Sci., 917, 33–41, 1995.
[12] P. Paillier, “On ideal non-perfect secret sharing schemes,” Security [37] R. Freij-Hollanti, O. W. Gnilke, C. Hollanti, and D. A. Karpuk, “Private
Protocols, 5th International Workshop, Lecture Notes in Comput. Sci., information retrieval from coded databases with colluding servers,”
1361, 207–216, 1998. SIAM J. Appl. Algebra Geometry, vol. 1, no. 1, pp. 647–664, 2017.
[13] O. Farràs, T. Hansen, T. Kaced, C. Padró, “On the information ratio of [38] I. S. Reed, G. Solomon, “Polynomial Codes over Certain Finite Fields,”
non-perfect secret sharing schemes,” Algorithmica, , vol. 79, no. 4, pp. Journal of the Society for Industrial and Applied Mathematics, 8 (2):
987-1013, 2017. 300–304, 1960.
[14] O. Farràs, T. Hansen, T. Kaced, C. Padró, “Optimal non-perfect uniform [39] R. Alicki and M. Fannes, “Continuity of quantum mutual information,”
secret sharing schemes,” CRYPTO 2014, Part II, Lecture Notes in J. of Phys. A: Math. and Gen., 37(5):L55–L57, 2004.
Computer Science 8617, Springer, pp.217–234, 2014.
[15] H. Sun and S. Jafar, “The Capacity of Symmetric Private Information
Retrieval,” 2016 IEEE Globecom Workshops (GC Wkshps), Washington,
DC, 2016, pp. 1–5.
[16] Q. Wang and M. Skoglund, “Secure private information retrieval from
colluding databases with eavesdroppers,” Proc. IEEE Int. Symp. Inf.
Theory (ISIT), pp. 2456–2460, 2018.
[17] Y. Zhang and G. Ge, “Private information retrieval from MDS coded
databases with colluding servers under several variant models,” arXiv
preprint: 1705.03186, 2017.
[18] R. Tajeddine, O. W. Gnilke, D. Karpuk, R. Freij-Hollanti and C. Hollanti,
“Private Information Retrieval From Coded Storage Systems With
Colluding, Byzantine, and Unresponsive Servers,” IEEE Transactions
on Information Theory, vol. 65, no. 6, pp. 3898-3906, 2019.
[19] H. Sun and S. A. Jafar, “Private information retrieval from MDS coded
data with colluding servers: Settling a conjecture by Freij-Hollanti et
al.,” IEEE Transactions on Information Theory, 64(2):1000–1022, 2018.
[20] R. Tajeddine, O. W Gnilke, D. Karpuk, R. Freij-Hollanti, C. Hollanti,
and S. El Rouayheb, “Private information retrieval schemes for coded
data with arbitrary collusion patterns,” 2017 IEEE International Sympo-
sium on Information Theory (ISIT), pp. 1908–1912, 2017.
[21] Z. Jia, H. Sun, and S. A. Jafar, “The capacity of private information
retrieval with disjoint colluding sets,” Proceedings of 2017 IEEE Global
Communications Conference, 2017.
[22] X. Yao, N. Liu, and W. Kang, “The Capacity of Private Information
Retrieval Under Arbitrary Collusion Patterns,” Proceedings of 2020
IEEE International Symposium on Information Theory (ISIT), pp. 1041–
1046, 2020.
[23] E. F. Brickell, “Some ideal secret sharing schemes,” Journal of Combin.
Math. and Combin. Comput., 6:105–113, 1989.
[24] M. Karchmer and A. Wigderson, “On span programs,” Proc. of the 8th
IEEE Structure in Complexity Theory, pp. 102–111, 1993.
[25] A. Beimel, “Secure Schemes for Secret Sharing and Key Distribution,”
PhD thesis, Technion, 1996. www.cs.bgu.ac.il/ beimel/pub.html.
[26] A. Beimel, “Secret-Sharing Schemes: A Survey,” Chee Y.M. et al.
(eds) Coding and Cryptology. IWCC 2011. Lecture Notes in Computer
Science, vol 6639, Springer, Berlin, Heidelberg, 2011.
[27] Q. Wang and M. Skoglund, “Symmetric private information retrieval
for MDS coded distributed storage,” Proceedings of 2017 IEEE Inter-
national Conference on Communications (ICC), pp. 1–6, 2017.
[28] Q. Wang and M. Skoglund, “Secure Symmetric Private Information
Retrieval from Colluding Databases with Adversaries,” 2017 55th An-
nual Allerton Conference on Communication, Control, and Computing
(Allerton), pp. 1083–1090, 2017.
[29] K. Banawan and S. Ulukus, “The Capacity of Private Information
Retrieval from Coded Databases,” IEEE Transactions on Information
Theory, vol. 64, no. 3, 2018.
[30] L. H. Ozarow and A. D. Wyner, “Wire-tap-channel II,” AT&T Bell Labs
Tech. J., 63:2135–2157, 1984.
[31] N. Cai and R. W. Yeung, “Secure Network Coding on a Wiretap
Network,” IEEE Trans. Inform. Theory, vol. 57, no. 1, 424–435, 2011.
[32] N. Cai and M. Hayashi, “Secure Network Code for Adaptive and
Active Attacks with No-Randomness in Intermediate Nodes,” IEEE
Transactions on Information Theory, vol. 66, 1428–1448, 2020.
[33] Serge Vaudenay, “On the Need for Multipermutations: Cryptanalysis
of MD4 and SAFER” 2nd International Workshop on Fast Software
Encryption (FSE ’94), Leuven: Springer-Verlag, pp. 286–297, 1994.
[34] T. H. Chan, S.-W. Ho, and H. Yamamoto, “Private information retrieval
for coded storage,” in Proceedings of 2015 IEEE International Sympo-
sium on Information Theory (ISIT), pp. 2842–2846, June 2015.
[35] H. Sun and S. Jafar, “The capacity of private information retrieval,”
IEEE Transactions on Information Theory, vol. 63, no. 7, pp. 4075–
4088, 2017.
[36] K. Banawan and S. Ulukus, “The Capacity of Private Information
Retrieval from Byzantine and Colluding Databases,” IEEE Transactions
on Information Theory, vol. 65, no. 2, pp. 1206–1219, 2019.