Professional Documents
Culture Documents
Abstract—We study the equivalence between non-perfect se- the secret. We denote NSS with A and B by (A, B, n)-NSS.
cret sharing (NSS) and symmetric private information retrieval The (A, B, n)-NSS is SS if B = [n] \ A.
(SPIR) with colluding and unresponsive servers. We prove the
equivalence between NSS and SPIR in the following two senses. SPIR [4] is a variant of PIR in which the user only obtains
1) Given any SPIR protocol, we can construct an NSS protocol. 2) the targeted file but no information of the other files. The paper
Given any linear NSS protocol, we can construct a SPIR protocol. [4] proved that shared randomness of servers is necessary to
From this equivalence relation, we prove that the capacity of n-
server SPIR with r responsive servers and r colluding servers is achieve SPIR. We consider SPIR with arbitrary colluding and
(r − t)/n. response patterns A, B ⊂ 2[n] . We define (A, B, n, f)-SPIR
by the n-server f-file SPIR with the following conditions:
i) the user correctly recovers the targeted file even if only
I. I NTRODUCTION the servers indexed by A ∈ A answer to the user; ii) the
identity of the retrieved file is not leaked even if the servers
Secret sharing (SS) and private information retrieval (PIR) indexed by B ∈ B communicate; and iii) the user obtains
are two extensively studied cryptographic protocols. SS [1], no other information than the targeted file in any case. If
[2] considers the problem in which a dealer encodes a secret A = {n} and B = [n], (A, B, n, f)-SPIR is the SPIR in
into n shares so that some subsets of shares can reconstruct the which no servers collude and all servers respond, which has
secret but the other subsets have no information of the secret. been discussed in [4], [15]. In existing studies, the paper
PIR [3] considers the problem in which a user retrieves one [16] discussed SPIR with t colluding servers, the papers [17],
of the multiple files from server(s) without revealing which [18] discussed PIR with t colluding servers and r responsive
file is retrieved. Since PIR with one server has no efficient servers, and the papers [17], [19], [20], [21], [22] discussed
solution [3], it has been extensively studied with multiple non- PIR with arbitrary collusion pattern, which is given as B in
communicating servers, and thus, in the following, we simply our definition. However, SPIR with arbitrary collusion and
denote multi-server PIR by PIR. SS and PIR have a similar response patterns have not been studied.
structure because the secrecy of both protocols is obtained
The first result of this paper is (A, B, n, f)-SPIR implies
by partitioning confidential information and restricting access
(A, B, n)-NSS. Formally, we define (A, B, n, f)-SPIR and
to the partitioned information. On the other hand, the two
(A, B, n)-NSS protocols with entropic measures of correctness
protocols have a different structure because, in SS, the secret is
and secrecies. With abuse of notation, our theorem states
both the confidential information and the message but in PIR,
that an (A, B, n, f)-SPIR protocol with nearly perfect mea-
the files are not confidential. From the similarity, there have
sures implies an (A, B, n)-NSS protocol with nearly perfect
been several studies to construct PIR from secret sharing [4],
measures. The proof idea is simply described as follows. To
[5], [6]. However, the relationship between these two protocols
construct an (A, B, n)-NSS protocol from a given (A, B, n, f)-
has not been explicitly discussed.
SPIR protocol, the dealer simulates (A, B, n, f)-SPIR protocol
In this paper, we study a kind of equivalence relation with the secret of NSS as one of the files, and encodes the
between an extended class of SS, called non-perfect SS (NSS), n pairs of the queries and the answers as n shares. Then, the
and that of PIR, called symmetric PIR (SPIR). NSS is first shares indexed by A reconstruct the secret near-perfectly by
discussed by [8], [9] with thresholds, but in this paper, we the SPIR’s correctness, and the shares indexed by B have no
discuss NSS with general access structures, which have been information of the secret near-perfectly by the SPIR’s secrecy
discussed [10], [11], [12], [13], [14]. NSS is defined with conditions.
two collections A, B ⊂ 2[n] := 2{1,...,n} which represents the
One interesting corollary of our first result is an upper bound
authorized sets and the forbidden sets, respectively. The shares
on the SPIR rate with arbitrary collusion and response patterns.
indexed by any element of A can reconstruct the secret but
those indexed by any element of B have no information of
TABLE I letters (e.g., a, b), sets by calligraphy letters (e.g., A, B),
D EFINITION OF SYMBOLS parameters in protocols by sans serif lowercase letters (e.g.,
Symbol SPIR Secret Sharing a, b), and matrices by sans serif upper letters (e.g., A, B). We
n Number of servers Number of shares also denote [n, m] = {n, n + 1, . . . , m} and [n] = [1 : n]. For
f Number of files - any set or sequence A = {A1 , . . . , An } and any X ⊂ [n], we
m Bit size of one file Bit size of secret denote AX := {Ai | i ∈ X }. For any matrix A ∈ n × m and
r Number of responsive servers Reconstruction threshold
t Number of colluding servers Secrecy threshold any X ⊂ [n], we denote AX is the restricted matrix by the
rows indexed by X . The finite field of order q is denoted by
Fq . For a set A, idA denotes the identity map on A.
With abuse of notation, the PIR rate RPIR is defined as
II. F ORMAL DEFINITION OF NSS AND SPIR
(Bit size of the targeted file)
RPIR = . (1)
(Bit size of all answers) In this section, we formally define SPIR, NSS, linear NSS,
and MMSP. For these definitions, we first define monotone
Similarly, the SS rate1 RSS is defined as collections.
(Bit size of secret)
RSS = . (2) Definition 1 (Monotone collection). We call A ⊂ 2[n] an
(Bit size of maximum share)
monotone increasing collection if A ∈ A implies C ∈ A
In our conversion from SPIR to NSS, any SPIR protocol with for any A ⊂ C. We call B ⊂ 2[n] a monotone decreasing
PIR rate RPIR is converted into an NSS protocol with SS collection if B ∈ B implies C ∈ A for any C ⊂ B.
rate RSS = nRPIR . Since any (A, B, n)-NSS protocols satisfy
RSS ≤ δ(A, B) := min{|A − B| | A ∈ A, B ∈ B} [10], [11], A. Formal definition of symmetric private information re-
[12], [13] and the share size is the same for all shares in our trieval (SPIR)
conversion, we obtain RPIR ≤ δ(A, B)/n for any (A, B, n, f)-
SPIR protocols. When A (B) consists of all subsets of [n] with We formally describe a SPIR protocol with one user and n
cardinality at least r (at most t), we obtain δ(A, B) = r−t, i.e., servers as follows.
(A, B, n, f)-SPIR rate is upper bounded by (r−t)/n. Since the
Definition 2 ((A, B, n, f)-SPIR). Files are given as a uniform
protocol by Tajeddine et al. [18] achieves this PIR rate, our
random variable M = (M1 , . . . , Mf ) ∈ Mf and m := |M|.
upper bound proves that the capacity (i.e., the optimal rate) of
Each of n servers contains the files M . The servers share
SPIR with r responses and t colluding servers is (r − t)/n.
uniform randomness T = (T1 , . . . , Tn ) ∈ T ⊂ T1 × · · · × Tn ,
The converse result is a weaker implication from linear which is independent of any other random variables, so that
(A, B, n)-NSS to (A, B, n, f)-SPIR. Linear (A, B, n)-NSS is a the j-th server contains Tj . Let K ∈ [f] be the user’s input,
well-known class of NSS in which the encoding of the secret is i.e., Mk is the targeted file when K = k.
performed by a linear map of the secret and the randomness.
A protocol Φm SPIR is described by the deterministic map-
To prove this result, we define multi-target monotone span
pings f, g1 , . . . , gn , h in the following steps.
programs (MMSP) with general access structure (A, B), which
we call (A, B, n)-MMSP. Similar to the result that SS is equiv- 1) Query: Depending on the user’s private uniform random-
alent to monotone span program [23], [24], [25], we prove ness R ∈ R, the user prepares n queries by
that the (A, B, n)-NSS is equivalent to (A, B, n)-MMSP. With
this equivalence, we give a construction of (A, B, n, f)-SPIR Q = (Q1 , . . . , Qn ) = f (K, R) ∈ Q1 × · · · × Qn (3)
from (A, B, n)-MMSP, which proves that linear (A, B, n)- and sends the j-th query Qj to the j-th server.
NSS implies (A, B, n, f)-SPIR.
2) Answer: The j-th server returns
The remainder of the paper is organized as follows. Sec-
tion II gives the definitions of NSS, SPIR, and related con- Aj = gj (Qj , M, Tj ) ∈ Aj (4)
cepts. Section III presents the main results of the paper.
to the user.
Section IV proves the conversion from SPIR to NSS. Section V
proves the conversion from linear NSS to SPIR. Section VI 3) Reconstruction: Let A = (A1 , . . . , An ) ∈ A := A1 ×· · ·×
proves the equivalence of linear NSS protocols and MMSPs. An . For some X ⊂ [n], the user outputs
Section VII gives the optimal constructions of NSS and SPIR
with thresholds. Section VIII is the conclusion of the paper. Y = hX (A, K, R) = h(A, K, R, X ) ∈ M. (5)
Notations: We denote random variables by uppercase letters Let A, B ⊂ 2[n] be monotone increasing and decreasing
(e.g., A, B), and values of the random variables by lowercase collections, respectively, such that A ∩ B = ∅. The protocol
1 The SS rate and its inverse are often called information rate and informa-
ΦmSPIR is called an (A, B, n, f)-SPIR protocol with security
tion ratio, respectively [26]. However, we call it SS rate to differentiate with (α(Φm m m
SPIR ), β(ΦSPIR ), γ(ΦSPIR )) if the following conditions
the PIR rate. are satisfied.
• Correctness: 2) Reconstruction: The players indexed by X ⊂ [n] output
α(Φm
SPIR ) := max H(Mk |AX R, K = k). (6) Y = hX (SX ) = h(X , S) ∈ L. (11)
k∈[f],X ∈A
γ(Φm
SPIR ) := max I(K; QX ). (8) α(Φm
NSS ) := max H(L|SX ). (12)
X ∈B X ∈A
log m β(Φm
NSS ) := max I(L; SX ). (13)
RPIR (Φm
SPIR ) := Pn . (9) X ∈B
j=1 log |Aj | The SS rate of the protocol Φm
NSS is defined as
B. Conversion from linear NSS to SPIR For the proof of Corollary 4, we prove the equivalence of
MMSP and linear NSS. The papers [23], [24], [25] proved
In this subsection, we prove the implication from linear the equivalence of linear SS protocols and monotone span
NSS to SPIR. As will be discussed in Section III-C, a linear programs (i.e., MMSPs with x = 1). Similarly, we prove
(A, B, n)-NSS protocol is equivalent to an (A, B, n)-MMSP the equivalence of linear NSS protocols and MMSPs by the
P = (G, τ ). Thus, we construct an (A, B, n, f)-SPIR protocol following conversions.
from an (A, B, n)-MMSP.
Protocol 3. Suppose a linear NSS protocol is defined with a
First, we define a SPIR protocol from an MMSP. linear encoder f : Fx+y
q → Fzq and a map τ : [z] → [n]. Let
Protocol 2. Let P = (G, τ ) is an MMSP. We denote G = Gf be the matrix representation of the linear map f . Then, an
(G′ , G′′ ) ∈ Fqz×x × Fqz×y . Let f be an arbitrary positive integer MMSP P[Φm NSS ] := (Gf , τ ) is defined.
at least 2. An SPIR protocol Φm SPIR [P] is defined as follows. Protocol 4. Let P = (G, τ ) be an MMSP and fG be the linear
Let f be an arbitrary positive integer greater than 1. The map associated with G. Then, a linear NSS protocol Φm NSS [P]
f file are given as Mi ∈ Fxq . The shared randomness of the is defined with the linear encoder fG and the map τ .
servers is given as T ∈ Fyq . When K = k is fixed, we define Theorem 3. Given a linear (A, B, n)-NSS protocol Φm NSS , the
the query and the answer as follows. MMSP P[Φm NSS ] defined in Protocol 3 is an (A, B, n)-MMSP.
Conversely, given an (A, B, n)-MMSP protocol P, the NSS
• Query: Let Ek ∈ Fx×fx
q = Fx×x
q ×· · ·×Fx×x
q be the matrix
protocol Φm
NSS [P] defined in Protocol 4 is a linear (A, B, n)-
whose k-th block is the x × x identity matrix and other
NSS protocol.
blocks are zero. Let R be the uniform random matrix in
Fy×fx
q . The user prepares the query as
We give the proof of Theorem 3 in Section VI.
Ek
Z=G = G′ Ek + G′′ R ∈ Fqz×fx . (16)
R
Depending on the index map τ , the user sends Zτ −1 (j) ∈ IV. C ONVERSION OF SPIR TO NSS
|τ −1 (j)|×fx
Fq to the j-th server.
1 In In this section, we prove Theorem 1 and Corollary 1. For
[18], the denominator is n − r since they did not counted the cost of
downloading answers from unresponsive servers. the proof, we prepare the following lemma.
Lemma 1. For any (A, B, n, f)-SPIR with correctness α, we Lastly, we construct a protocol satisfying both conditions 1)
′
have and 2). Let Φm SPIR be the (A, B, n, f)-SPIR protocol of PIR
rate RPIR satisfying condition 1). Let σ be the right cyclic
max H(Mk |AX Q, K = k) ≤ α (18) shift of [n], i.e., σ(i) = i + 1 for i ≤ n and σ(n) = 1.
k∈[f],X ∈A
′
Suppose we apply the protocol Φm SPIR n times and we denote
max I(AQ; M[f]\k |K = k) ≤ β (19) j
k∈[f] the answers at round j by A1 ∈ A1 , . . . , Ajn ∈ An . We modify
this n repetitions so that the answer from the i-th server is
Lemma 2. For any X ⊂ [f] such that |X | ≤ t, (Ajσj (i) | j ∈ [n]). Then, the total size of the answers from
Pn
each server are identically i=1 log |Ai |, which implies the
p p
I(M1 ; AX QX |K = 1) ≤ β + 4 2γ log m + 2h2 ( 2γ). ′
(20) condition 2). Condition 1) is also satisfied because Φm SPIR
already satisfies condition 1). This modified protocol is also
The proofs of Lemmas 1 and 2 are given in Appendices A a (A, B, n, f)-SPIR protocol and has the same PIR rate as
′
and B, respectively. ΦmSPIR .
In this section, we prove Theorem 3. For the proof, we where Ix is the x × x identity matrix and Ox×y is the x × y
prepare the following lemma. zero matrix. Thus, the row space of Gτ −1 (X ) includes the row
space of (Ix , Ox×y ), which implies that the MMSP P[Φm NSS ]
Lemma 3. Let P = (G, τ ) be an (A, B, n)-MMSP. Let X ∈ accepts A.
Fxq and Y ∈ Fyq be uniform random vectors and
Next, we prove that the linear NSS protocol Φm NSS [P]
X defined in Protocol 4 from an (A, B, n)-MMSP is a linear
Zτ −1 (X ) = Gτ −1 (X ) . (31)
Y (A, B, n)-NSS protocol. Since the linear encoding fG of the
Then, for any X ∈ B, linear NSS protocol ΦmNSS [P] is defined from the matrix G,
we have
H(Zτ −1 (X ) ) = H(Zτ −1 (X ) |X = x) (32)
L1
for any x ∈ Fxq , i.e., I(Zτ −1 (X ) ; X) = 0. ..
.
Z1
.. Lx
Proof. The fact that P rejects B is equivalent to Z = . = G R1
(45)
Zz
..
rank G′′τ −1 (X ) = rank Gτ −1 (X ) ∀X ∈ B. (33) .
Ry
From this relation, we obtain
L1 R1
H(Zτ −1 (X ) |X = x) (34) ′ .. ′′ ..
= G . + G . . (46)
= H(G′τ −1 (X ) x + G′′τ −1 (X ) R) (35) Lx Ry
(a)
= H(G′′τ −1 (X ) R) = rank G′′τ −1 (X ) log q (36) For any X ∈ [n], the collection of the shares indexed by X is
(b) written as
= rank Gτ −1 (X ) log q = H(Zτ −1 (X ) ), (37)
L1 R1
where (a) and (b) are from Proposition 3. ′ .. ′′ ..
SX = Gτ −1 (X ) . + Gτ −1 (X ) . . (47)
Now, we prove Theorem 3. Lx Ry
Since the MMSP P accepts A, i.e., the row space of Gτ −1 (X ) VIII. C ONCLUSION
contains e1 , . . . , ex for any X ∈ A, there exists a matrix H ∈
Fx×z
q such that We have studied the equivalence relation between non-
perfect secret sharing and symmetric private information re-
L1 trieval. We defined the two protocols with monotone increasing
..
HSX = . , (48) and decreasing collections A and B, which represent the
Lx authorized and forbidden sets for non-perfect secret sharing
and the responsive and colluding servers for symmetric private
which implies the correctness condition H(L|SX ) = 0 information retrieval. We first showed that any SPIR protocols
(∀X ∈ A), i.e., the linear NSS Φm NSS [P] accepts A. On the can be converted into NSS protocols and the optimal achiev-
other hand, applying Lemma 3 for (X, Y ) := (L, R), the able rate of SPIR is upper bounded by that of NSS. Combining
protocol Φm NSS [P] satisfies the secrecy condition I(L; SX ) = an upper bound of NSS rates with the SPIR protocol by
I(L; Zτ −1 (X ) ) = 0 (∀X ∈ B). Tajeddine et al. [18], we proved the capacity of SPIR with
r responsive servers and t colluding servers are (r − t)/n. For
VII. O PTIMAL CONSTRUCTION OF (r, t, n)-NSS AND the converse part, we showed linear NSS implies SPIR. We
(r, t, n, f)-SPIR proved this implication by the equivalence of linear NSS and
multi-target monotone span program.
In this section, we construct (r, t, n)-NSS and (r, t, n, f)-
SPIR protocols with optimal rates from a (r, t, n)-MMSP. The
proposed protocols are already proposed by Yamamoto [9] and IX. ACKNOWLEDGEMENT
by Tajeddine et al. [18] (as a special case), but we construct
SS is supported by JSPS Grant-in-Aid for JSPS Fellows
these protocols from MMSPs.
No. JP20J11484. MH was supported in part by Guangdong
In the following, we assume that the size of the finite field Provincial Key Laboratory (Grant, No. 2019B121203002).
Fq is at least n. We define an MMSP P = (G, τ ) by the
Vandermonde matrix, which is also the generator matrix of A PPENDIX A
a Reed-Solomon code [38]. Let (x, y, z) = (r − t, t, n) and P ROOF OF L EMMA 1
τ = id[n] .
For any K = k and X ∈ A, we have
1 α1 · · · αx+y−1 1 α1 · · · αr−1
1 α21 · · · α2x+y−1 1 α21 · · · α2r−1 H(Mk |AX Q) = H(Mk AX |Q) − H(AX |Q) (51)
G = . .. = .. .. .
.. .. .. .. (a)
.. . . . . . . . = H(Mk AX |RQ) − H(AX |RQ) (52)
z z n n
1 α1 · · · αx+y−1 1 α1 · · · αr−1 (b)
= H(Mk AX |R) − H(AX |R) (53)
Then, we can easily confirm that the MMSP P accepts A =
= H(Mk |AX R) (54)
{X ⊂ [n] | |X | ≥ r} and rejects B = {X ⊂ [n] | |X | ≤ t} as
(c)
follows. For any permutation π of [n], the matrices ≤ max H(Mk |AY R) ≤ α. (55)
Y∈A
π(1) π(1)
1 α1 · · · αr−1
. .. .. .. r×r
The equality (a) is from the fact that R − Q − A and
A= .. . . . ∈ Fq , (49) R−Q−AMk are Markov chains, respectively, i.e., H(A|R) =
π(r) π(r) H(A|RQ) and H(Mk A|R) = H(Mk A|RQ). The equality
1 α1 ··· αr−1
(b) holds because Q = f (k, R) from the query step of Defi-
Ir−t ··· 0
π(1) π(1) nition 2. The inequality (c) is from the correctness condition
1 α1 ··· αr−1
r×r (6). By taking maximum over k ∈ [f], we obtain (18).
B=
.. .. ..
.
.. ∈ Fq (50)
. . . Similarly, from the Markov property of R − Q − A and
π(t) π(t)
1 α1 ··· αr−1 R − QM[f]\k − A, we obtain (19).
are invertible matrices. Eq. (49) guarantees the acceptance of
P because the row span of A is Frq and thus includes E = A PPENDIX B
{e1 , . . . , er−t }. Eq. (50) guarantees the rejection of P because P ROOF OF L EMMA 2
the first n − r rows of B are elements of E = {e1 , . . . , er−t }.
For the proof, we define the variational distance
Thus, the linear NSS protocol ΦmNSS [P] defined in Protocol 4 X
is an (r, t, n)-NSS protocol with the SS rate RSS = r − t, d(p, q) := |p(x) − q(x)|. (56)
and the SPIR protocol Φm SPIR [P] defined in Protocol 2 is an
x
(r, t, n)-SPIR protocol with the PIR rate RPIR = (r − t)/n. Throughout this section, we denote the distribution of a
Given t, r, n, these protocols are optimal from Proposition 1 random variable X by PX and the probability PX (x) by Px ,
and Corollary 3. i.e., subscript with the lowercase letter of X.
First, we prepare the following proposition. where the inequality (c) holds since K − QX − M1 AX is
a Markov chain. Then, from Eq. (64) and the triangular
Proposition 4 (Classical Alicki-Fannes inequality [39]). Let
inequality, we obtain (58) as
X, Y be random variable on X , Y and p, q be P
probability dis- p
tributions on X × Y such that ǫ := 2d(p, q) = x,y |p(x, y) − 2γ ≥ d(pM1 AX QX |K=1 , pM1 AX QX ) (75)
q(x, y)|. Then, + d(pM1 AX QX |K=2 , pM1 AX QX ) (76)
|H(pX|Y ) − H(qX|Y )| ≤ 4ǫ log |X | + 2h2 (ǫ). (57) ≥ d(pM1 AX QX |K=1 , pM1 AX QX |K=2 ). (77)