Post on 14-Jul-2020
Codes with locality:constructions and applications
to cryptographic protocols
Julien LavauzelleÉcole Polytechnique & INRIA Saclay, Université Paris-Saclay
PhD defense
30/11/2018
Outline
1. Codes with localityLocality in coding theory, examplesLifted projective Reed-Solomon codesA combinatorial point of view
2. Private information retrieval from transversal designsPrivate information retrieval (PIR)Transversal designs and codesA new PIR constructionInstances
3. Proofs-of-retrievability
4. Conclusion
1/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Outline
1. Codes with localityLocality in coding theory, examplesLifted projective Reed-Solomon codesA combinatorial point of view
2. Private information retrieval from transversal designsPrivate information retrieval (PIR)Transversal designs and codesA new PIR constructionInstances
3. Proofs-of-retrievability
4. Conclusion
1/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Outline
1. Codes with localityLocality in coding theory, examplesLifted projective Reed-Solomon codesA combinatorial point of view
2. Private information retrieval from transversal designsPrivate information retrieval (PIR)Transversal designs and codesA new PIR constructionInstances
3. Proofs-of-retrievability
4. Conclusion
1/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Error-correcting codes
Original goal: transmit information in the presence of noise.
messagem ∈ Fk
q7→ codeword
c ∈ C ⊆ Fnq
channelnoisy
codewordc′ ∈ Fn
q
7→decodedmessage
m′(= m?)
errors (ci 6= c′i ∈ Fq) or erasures (c′j =⊥)
Hamming distance d(u, v) := |i ∈ [1, n], ui 6= vi|.
I d = dmin(C) := mind(c, c′), c 6= c′, (c, c′) ∈ C2,I C linear over Fq, with k = dim(C).
dmin(C)
2/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Error-correcting codes
Original goal: transmit information in the presence of noise.
messagem ∈ Fk
q7→ codeword
c ∈ C ⊆ Fnq
channelnoisy
codewordc′ ∈ Fn
q
7→decodedmessage
m′(= m?)
errors (ci 6= c′i ∈ Fq) or erasures (c′j =⊥)
Hamming distance d(u, v) := |i ∈ [1, n], ui 6= vi|.
I d = dmin(C) := mind(c, c′), c 6= c′, (c, c′) ∈ C2,I C linear over Fq, with k = dim(C).
dmin(C)
2/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Error-correcting codes
Original goal: transmit information in the presence of noise.
messagem ∈ Fk
q7→ codeword
c ∈ C ⊆ Fnq
channelnoisy
codewordc′ ∈ Fn
q
7→decodedmessage
m′(= m?)
errors (ci 6= c′i ∈ Fq) or erasures (c′j =⊥)
Hamming distance d(u, v) := |i ∈ [1, n], ui 6= vi|.
I d = dmin(C) := mind(c, c′), c 6= c′, (c, c′) ∈ C2,I C linear over Fq, with k = dim(C).
dmin(C)
2/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Typical example: Reed-Solomon codes
Definition (Reed-Solomon code). Let x = (x1, . . . , xn) ∈ Fnq , pairwise distinct.
RSq(r, x) := (f (x1), . . . , f (xn)), f ∈ Fq[X], deg f ≤ r
xi
ci = f (xi)
I Dimension k = r + 1I Minimum distance dmin = n− rI Can decode any b errors and e
erasures→ if e + 2b < dmin→ in time Θ(n log3 n).
In this talk,RSq(r) := RSq(r, Fq)
3/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Typical example: Reed-Solomon codes
Definition (Reed-Solomon code). Let x = (x1, . . . , xn) ∈ Fnq , pairwise distinct.
RSq(r, x) := (f (x1), . . . , f (xn)), f ∈ Fq[X], deg f ≤ r
xi
ci = f (xi)I Dimension k = r + 1I Minimum distance dmin = n− rI Can decode any b errors and e
erasures→ if e + 2b < dmin→ in time Θ(n log3 n).
In this talk,RSq(r) := RSq(r, Fq)
3/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Typical example: Reed-Solomon codes
Definition (Reed-Solomon code). Let x = (x1, . . . , xn) ∈ Fnq , pairwise distinct.
RSq(r, x) := (f (x1), . . . , f (xn)), f ∈ Fq[X], deg f ≤ r
xi
ci = f (xi)I Dimension k = r + 1I Minimum distance dmin = n− rI Can decode any b errors and e
erasures→ if e + 2b < dmin→ in time Θ(n log3 n).
In this talk,RSq(r) := RSq(r, Fq)
3/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Local correction [Katz, Trevisan ’00]
Goal: sublinear-time correction of some symbols of c ∈ C.
Definition [KT00]. A code C ⊆ Fnq is
locally correctable with
– locality ` ≤ n,
– failure probability ε ∈ (0, 1),
– admissible fraction of errorsδ ∈ (0, 1),
if there exists a poly-time probabilisticalgorithm D such that, for every y ∈ Fn
qand c ∈ C satisfying d(y, c) ≤ δn and forevery 1 ≤ i ≤ n:
– Pr(D(y)(i) = ci) ≥ 1− ε;
– D(y)(i) makes at most ` queries tosymbols of y.
(n = 16, ` = 3)= error
= symbol to be corrected
y :
i
4/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Local correction [Katz, Trevisan ’00]
Goal: sublinear-time correction of some symbols of c ∈ C.
Definition [KT00]. A code C ⊆ Fnq is
locally correctable with
– locality ` ≤ n,
– failure probability ε ∈ (0, 1),
– admissible fraction of errorsδ ∈ (0, 1),
if there exists a poly-time probabilisticalgorithm D such that, for every y ∈ Fn
qand c ∈ C satisfying d(y, c) ≤ δn and forevery 1 ≤ i ≤ n:
– Pr(D(y)(i) = ci) ≥ 1− ε;
– D(y)(i) makes at most ` queries tosymbols of y.
(n = 16, ` = 3)= error
= symbol to be corrected
y :i
4/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Local correction [Katz, Trevisan ’00]
Goal: sublinear-time correction of some symbols of c ∈ C.
Definition [KT00]. A code C ⊆ Fnq is
locally correctable with
– locality ` ≤ n,
– failure probability ε ∈ (0, 1),
– admissible fraction of errorsδ ∈ (0, 1),
if there exists a poly-time probabilisticalgorithm D such that, for every y ∈ Fn
qand c ∈ C satisfying d(y, c) ≤ δn and forevery 1 ≤ i ≤ n:
– Pr(D(y)(i) = ci) ≥ 1− ε;
– D(y)(i) makes at most ` queries tosymbols of y.
(n = 16, ` = 3)= error
= symbol to be corrected
y :i
4/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Local correction [Katz, Trevisan ’00]
Goal: sublinear-time correction of some symbols of c ∈ C.
Definition [KT00]. A code C ⊆ Fnq is
locally correctable with
– locality ` ≤ n,
– failure probability ε ∈ (0, 1),
– admissible fraction of errorsδ ∈ (0, 1),
if there exists a poly-time probabilisticalgorithm D such that, for every y ∈ Fn
qand c ∈ C satisfying d(y, c) ≤ δn and forevery 1 ≤ i ≤ n:
– Pr(D(y)(i) = ci) ≥ 1− ε;
– D(y)(i) makes at most ` queries tosymbols of y.
(n = 16, ` = 3)= error
= symbol to be corrected
y :i
4/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Local correction [Katz, Trevisan ’00]
Goal: sublinear-time correction of some symbols of c ∈ C.
Definition [KT00]. A code C ⊆ Fnq is
locally correctable with
– locality ` ≤ n,
– failure probability ε ∈ (0, 1),
– admissible fraction of errorsδ ∈ (0, 1),
if there exists a poly-time probabilisticalgorithm D such that, for every y ∈ Fn
qand c ∈ C satisfying d(y, c) ≤ δn and forevery 1 ≤ i ≤ n:
– Pr(D(y)(i) = ci) ≥ 1− ε;
– D(y)(i) makes at most ` queries tosymbols of y.
(n = 16, ` = 3)= error
= symbol to be corrected
y :i
4/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
LCCs: goals and previous works
Goals:
– failure probability ε ≤ f (`) · δ, with f (`) ≤ cste.
– locality ` k– large dimension k
Some existing constructions:I constant locality `:
I Hadamard code (folklore) ` = 2 and k = log(n)I Matching vector codes [Yek08] k subexponential in log(n)
I constant rate R = k/n:I Reed-Muller codes (folklore) ` = n1/m and k ≤ 1
m! · nI Multiplicity codes [KSY14],
lifted codes [GKS13],expander codes [HOW14]
` ≤ nε and k ≥ α · n, ∀ε, α > 0, n→ ∞
5/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
LCCs: goals and previous works
Goals:
– failure probability ε ≤ f (`) · δ, with f (`) ≤ cste.
– locality ` k– large dimension k
Some existing constructions:I constant locality `:
I Hadamard code (folklore) ` = 2 and k = log(n)I Matching vector codes [Yek08] k subexponential in log(n)
I constant rate R = k/n:I Reed-Muller codes (folklore) ` = n1/m and k ≤ 1
m! · nI Multiplicity codes [KSY14],
lifted codes [GKS13],expander codes [HOW14]
` ≤ nε and k ≥ α · n, ∀ε, α > 0, n→ ∞
5/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Example: Reed-Muller codes
RMq(m, r) := (f (x) : x ∈ Fmq ), f ∈ Fq[X1, . . . , Xm], deg f ≤ r
Assume r ≤ q− 2, and let:
– c = (f (x) : x ∈ Fmq ) ∈ RMq(m, r)
– φ : Fq → Fmq affine and injective
⇒ affine line L := φ(Fq) ⊂ Fmq
Then, the restriction of c to L (or to φ):
c|L := ((f φ)(t) : t ∈ Fq) ∈ RSq(r)
cx = f (x)c = ( f (x) : x ∈ F2
q)
F2q
Local correction of y ∈ FFm
qq at coordinate i ∈ Fm
q :
1. Pick at random a line L ⊂ Fmq such that i ∈ L.
2. Correct y|L as a noisy RSq(r) codeword, and output yi.
RMq(m, r) is locally correctable with ` = n1/m and ε = 21−r/q · δ
6/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Example: Reed-Muller codes
RMq(m, r) := (f (x) : x ∈ Fmq ), f ∈ Fq[X1, . . . , Xm], deg f ≤ r
Assume r ≤ q− 2, and let:
– c = (f (x) : x ∈ Fmq ) ∈ RMq(m, r)
– φ : Fq → Fmq affine and injective
⇒ affine line L := φ(Fq) ⊂ Fmq
Then, the restriction of c to L (or to φ):
c|L := ((f φ)(t) : t ∈ Fq) ∈ RSq(r)
cx = f (x)
c|L
L
Local correction of y ∈ FFm
qq at coordinate i ∈ Fm
q :
1. Pick at random a line L ⊂ Fmq such that i ∈ L.
2. Correct y|L as a noisy RSq(r) codeword, and output yi.
RMq(m, r) is locally correctable with ` = n1/m and ε = 21−r/q · δ
6/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Example: Reed-Muller codes
RMq(m, r) := (f (x) : x ∈ Fmq ), f ∈ Fq[X1, . . . , Xm], deg f ≤ r
Assume r ≤ q− 2, and let:
– c = (f (x) : x ∈ Fmq ) ∈ RMq(m, r)
– φ : Fq → Fmq affine and injective
⇒ affine line L := φ(Fq) ⊂ Fmq
Then, the restriction of c to L (or to φ):
c|L := ((f φ)(t) : t ∈ Fq) ∈ RSq(r)
cx = f (x)
c|L
L
Local correction of y ∈ FFm
qq at coordinate i ∈ Fm
q :
1. Pick at random a line L ⊂ Fmq such that i ∈ L.
2. Correct y|L as a noisy RSq(r) codeword, and output yi.
RMq(m, r) is locally correctable with ` = n1/m and ε = 21−r/q · δ
6/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Example: Reed-Muller codes
RMq(m, r) := (f (x) : x ∈ Fmq ), f ∈ Fq[X1, . . . , Xm], deg f ≤ r
Assume r ≤ q− 2, and let:
– c = (f (x) : x ∈ Fmq ) ∈ RMq(m, r)
– φ : Fq → Fmq affine and injective
⇒ affine line L := φ(Fq) ⊂ Fmq
Then, the restriction of c to L (or to φ):
c|L := ((f φ)(t) : t ∈ Fq) ∈ RSq(r)
cx = f (x)
c|L
L
Local correction of y ∈ FFm
qq at coordinate i ∈ Fm
q :
1. Pick at random a line L ⊂ Fmq such that i ∈ L.
2. Correct y|L as a noisy RSq(r) codeword, and output yi.
RMq(m, r) is locally correctable with ` = n1/m and ε = 21−r/q · δ
6/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
High-rate construction: lifted codes (1)
Issue: if r ≤ q− 2, the rate of RMq(m, r) is ' (r/q)m
m! .
Idea: consider the set of all polynomials f satisfying the “restriction property”:
for every affine line L given by φ, ((f φ)(t) : t ∈ Fq) ∈ RSq(r)
Are there more polynomials than in RM codes?
Example (q = 4, m = 2, r = 2).
f (X, Y) = X2Y2 ∈ F4[X, Y], hence deg(f ) = 4 > 2Affine line L given by φ(T) = (aT + b, cT + d)
(f φ)(T) = (aT + b)2(cT + d)2
= (a2T2 + b2)(c2T2 + d2)
= (ac)2T4 + (ad + bc)2T2 + (bd)2
= (ad + bc)2T2 + (ac)2T + (bd)2 mod (T4 − T)
⇒ for every φ, the “restriction” (f φ)(T) can be interpolated asa univariate polynomial of degree ≤ 2
7/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
High-rate construction: lifted codes (1)
Issue: if r ≤ q− 2, the rate of RMq(m, r) is ' (r/q)m
m! .
Idea: consider the set of all polynomials f satisfying the “restriction property”:
for every affine line L given by φ, ((f φ)(t) : t ∈ Fq) ∈ RSq(r)
Are there more polynomials than in RM codes?
Example (q = 4, m = 2, r = 2).
f (X, Y) = X2Y2 ∈ F4[X, Y], hence deg(f ) = 4 > 2Affine line L given by φ(T) = (aT + b, cT + d)
(f φ)(T) = (aT + b)2(cT + d)2
= (a2T2 + b2)(c2T2 + d2)
= (ac)2T4 + (ad + bc)2T2 + (bd)2
= (ad + bc)2T2 + (ac)2T + (bd)2 mod (T4 − T)
⇒ for every φ, the “restriction” (f φ)(T) can be interpolated asa univariate polynomial of degree ≤ 2
7/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
High-rate construction: lifted codes (1)
Issue: if r ≤ q− 2, the rate of RMq(m, r) is ' (r/q)m
m! .
Idea: consider the set of all polynomials f satisfying the “restriction property”:
for every affine line L given by φ, ((f φ)(t) : t ∈ Fq) ∈ RSq(r)
Are there more polynomials than in RM codes?
Example (q = 4, m = 2, r = 2).
f (X, Y) = X2Y2 ∈ F4[X, Y], hence deg(f ) = 4 > 2Affine line L given by φ(T) = (aT + b, cT + d)
(f φ)(T) = (aT + b)2(cT + d)2
= (a2T2 + b2)(c2T2 + d2)
= (ac)2T4 + (ad + bc)2T2 + (bd)2
= (ad + bc)2T2 + (ac)2T + (bd)2 mod (T4 − T)
⇒ for every φ, the “restriction” (f φ)(T) can be interpolated asa univariate polynomial of degree ≤ 2
7/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
High-rate construction: lifted codes (1)
Issue: if r ≤ q− 2, the rate of RMq(m, r) is ' (r/q)m
m! .
Idea: consider the set of all polynomials f satisfying the “restriction property”:
for every affine line L given by φ, ((f φ)(t) : t ∈ Fq) ∈ RSq(r)
Are there more polynomials than in RM codes?
Example (q = 4, m = 2, r = 2).
f (X, Y) = X2Y2 ∈ F4[X, Y], hence deg(f ) = 4 > 2Affine line L given by φ(T) = (aT + b, cT + d)
(f φ)(T) = (aT + b)2(cT + d)2
= (a2T2 + b2)(c2T2 + d2)
= (ac)2T4 + (ad + bc)2T2 + (bd)2
= (ad + bc)2T2 + (ac)2T + (bd)2 mod (T4 − T)
⇒ for every φ, the “restriction” (f φ)(T) can be interpolated asa univariate polynomial of degree ≤ 2
7/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
High-rate construction: lifted codes (1)
Issue: if r ≤ q− 2, the rate of RMq(m, r) is ' (r/q)m
m! .
Idea: consider the set of all polynomials f satisfying the “restriction property”:
for every affine line L given by φ, ((f φ)(t) : t ∈ Fq) ∈ RSq(r)
Are there more polynomials than in RM codes?
Example (q = 4, m = 2, r = 2).
f (X, Y) = X2Y2 ∈ F4[X, Y], hence deg(f ) = 4 > 2Affine line L given by φ(T) = (aT + b, cT + d)
(f φ)(T) = (aT + b)2(cT + d)2
= (a2T2 + b2)(c2T2 + d2)
= (ac)2T4 + (ad + bc)2T2 + (bd)2
= (ad + bc)2T2 + (ac)2T + (bd)2 mod (T4 − T)
⇒ for every φ, the “restriction” (f φ)(T) can be interpolated asa univariate polynomial of degree ≤ 2
7/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
High-rate construction: lifted codes (2)
I Am := Fmq evAm (f ) := (f (x) : x ∈ Fm
q ) ∈ FAm
q
I EmbA(m) := φ : Fq → Fmq , injective and affine
Definition (lifted Reed-Solomon code [GKS13] reformulated).
Lift(RSq(r), m) := evAm (f ), f ∈ Fq[X] | ∀φ ∈ EmbA(m), evA1 (f φ) ∈ RSq(r)
Lift(RSq(r), m) is locally correctable with ` = n1/m and ε = 21−r/q · δ.
What about the dimension/rate?
Theorem (characteristic 2, simplified from [GKS13]).For every m ≥ 2 and 0 < R0 < 1, there exists q > 0 and r ≤ q− 2 such that
Lift(RSq(r), m)
is locally correctable with rate R ≥ R0.
8/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
High-rate construction: lifted codes (2)
I Am := Fmq evAm (f ) := (f (x) : x ∈ Fm
q ) ∈ FAm
q
I EmbA(m) := φ : Fq → Fmq , injective and affine
Definition (lifted Reed-Solomon code [GKS13] reformulated).
Lift(RSq(r), m) := evAm (f ), f ∈ Fq[X] | ∀φ ∈ EmbA(m), evA1 (f φ) ∈ RSq(r)
Lift(RSq(r), m) is locally correctable with ` = n1/m and ε = 21−r/q · δ.
What about the dimension/rate?
Theorem (characteristic 2, simplified from [GKS13]).For every m ≥ 2 and 0 < R0 < 1, there exists q > 0 and r ≤ q− 2 such that
Lift(RSq(r), m)
is locally correctable with rate R ≥ R0.
8/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
High-rate construction: lifted codes (2)
I Am := Fmq evAm (f ) := (f (x) : x ∈ Fm
q ) ∈ FAm
q
I EmbA(m) := φ : Fq → Fmq , injective and affine
Definition (lifted Reed-Solomon code [GKS13] reformulated).
Lift(RSq(r), m) := evAm (f ), f ∈ Fq[X] | ∀φ ∈ EmbA(m), evA1 (f φ) ∈ RSq(r)
Lift(RSq(r), m) is locally correctable with ` = n1/m and ε = 21−r/q · δ.
What about the dimension/rate?
Theorem (characteristic 2, simplified from [GKS13]).For every m ≥ 2 and 0 < R0 < 1, there exists q > 0 and r ≤ q− 2 such that
Lift(RSq(r), m)
is locally correctable with rate R ≥ R0.
8/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Rate of lifted codes
Bounds in [GKS13] are far from being tight.I Ex: for m = 2 and R0 = 1/2, GKS theorem requires n = qm ≥ 264.
Theorem [characteristic 2, finite length n = q2 = 22e].For m = 2, q = 2e and r = (1− 2−c)q− 1,
R = 1− 54
(34
)c+
14
(14
)c+
12e
(3c − 12c+2
).
I actually, n = q2 ≥ 26 = 64 is enough to achieve R ≥ 1/2.
9/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Rate of lifted codes
Bounds in [GKS13] are far from being tight.I Ex: for m = 2 and R0 = 1/2, GKS theorem requires n = qm ≥ 264.
Theorem [characteristic 2, finite length n = q2 = 22e].For m = 2, q = 2e and r = (1− 2−c)q− 1,
R = 1− 54
(34
)c+
14
(14
)c+
12e
(3c − 12c+2
).
I actually, n = q2 ≥ 26 = 64 is enough to achieve R ≥ 1/2.
9/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Degree sets
Lifted codes are monomial, i.e. generated by evaluations of monomials
evAm (Xd11 . . . Xdm
m ) = evAm (Xd)
Degree set of a monomial code [GKS13]:
Deg(C) := d ∈ [0, q− 1]m, evAm (Xd) ∈ C
A representation for m = 2:
RM4(2, 4)d1
d2
RM4(2, 2)d1
d2
Lift(RS4(2), 2)d1
d2
10/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Degree sets
Lifted codes are monomial, i.e. generated by evaluations of monomials
evAm (Xd11 . . . Xdm
m ) = evAm (Xd)
Degree set of a monomial code [GKS13]:
Deg(C) := d ∈ [0, q− 1]m, evAm (Xd) ∈ C
A representation for m = 2:
RM4(2, 4)d1
d2
RM4(2, 2)d1
d2
Lift(RS4(2), 2)d1
d2
10/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
“Fractal” representation of degree sets
q = 16, r = 14
q = 8, r = 6
q = 4, r = 2
11/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Outline
1. Codes with localityLocality in coding theory, examplesLifted projective Reed-Solomon codesA combinatorial point of view
2. Private information retrieval from transversal designsPrivate information retrieval (PIR)Transversal designs and codesA new PIR constructionInstances
3. Proofs-of-retrievability
4. Conclusion
11/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Evaluation on projective spaces
Projective space Pm :=(Am+1 \ 0
)/ ∼ where a ∼ b iff ∃λ ∈ F×q , a = λb
Defining an evaluation map over Pm requires:I homogeneous polynomials f ∈ Fq[X]Hv of fixed degree v,I to choose a representative for every u ∈ Pm (see [Lac86]):
u = (0 : · · · : 0 : 1 : ∗ : · · · : ∗) ∈ Pm
We get:f (u) := f (0, . . . , 0, 1, ∗, . . . , ∗) ∈ Fq
evPm (f ) := (f (u) : u ∈ Pm) ∈ FPm
q
12/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Projective lifted codes
Example. Projective Reed-Solomon code:
PRSq(r) = evP1 (f ) = (f (x) : x ∈ P1), f ∈ Fq[X, Y]Hr
Let EmbP(m) := φ : F2q → Fm+1
q linear and injective.
Definition (lifted projective RS codes). Let v = r + (m− 1)(q− 1).
Lift(PRSq(r), m) := evPm (f ), f ∈ Fq[X]Hv |∀φ ∈ EmbP(m), evP1 (f φ) ∈ PRSq(r)
13/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Projective lifted codes
Example. Projective Reed-Solomon code:
PRSq(r) = evP1 (f ) = (f (x) : x ∈ P1), f ∈ Fq[X, Y]Hr
Let EmbP(m) := φ : F2q → Fm+1
q linear and injective.
Definition (lifted projective RS codes). Let v = r + (m− 1)(q− 1).
Lift(PRSq(r), m) := evPm (f ), f ∈ Fq[X]Hv |∀φ ∈ EmbP(m), evP1 (f φ) ∈ PRSq(r)
13/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Main results on projective lifted codes
Projective lifted codes...
I are locally correctable, with parameters (` = q + 1, δ, ε = δ/τ), where τ isthe relative correction capability of the small PRS code
I are monomial, with an explicit bijection between the degree sets ofLift(RSq(r− 1), m), Lift(PRSq(r), m) and Lift(PRSq(r), m− 1)
I satisfy the puncturing/shortening relation
0→ Lift(RSq(r− 1), m)→ Lift(PRSq(r), m)π−→ Lift(PRSq(r), m− 1)→ 0 ,
where π is induced by Pm → Pm−1.I are (up to equivalence)
cyclic codes if q− 1 and n =qm+1
q−1 are coprimequasi-cyclic codes if q− 1 and n
gcd(n,q−1) are coprime
I admit many explicit and easily computable information sets
Details in:Lifted Projective Reed-Solomon Codes, L., DCC, to appear
10.1007/s10623-018-0552-8
14/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Main results on projective lifted codes
Projective lifted codes...
I are locally correctable, with parameters (` = q + 1, δ, ε = δ/τ), where τ isthe relative correction capability of the small PRS code
I are monomial, with an explicit bijection between the degree sets ofLift(RSq(r− 1), m), Lift(PRSq(r), m) and Lift(PRSq(r), m− 1)
I satisfy the puncturing/shortening relation
0→ Lift(RSq(r− 1), m)→ Lift(PRSq(r), m)π−→ Lift(PRSq(r), m− 1)→ 0 ,
where π is induced by Pm → Pm−1.I are (up to equivalence)
cyclic codes if q− 1 and n =qm+1
q−1 are coprimequasi-cyclic codes if q− 1 and n
gcd(n,q−1) are coprime
I admit many explicit and easily computable information sets
Details in:Lifted Projective Reed-Solomon Codes, L., DCC, to appear
10.1007/s10623-018-0552-8
14/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Main results on projective lifted codes
Projective lifted codes...
I are locally correctable, with parameters (` = q + 1, δ, ε = δ/τ), where τ isthe relative correction capability of the small PRS code
I are monomial, with an explicit bijection between the degree sets ofLift(RSq(r− 1), m), Lift(PRSq(r), m) and Lift(PRSq(r), m− 1)
I satisfy the puncturing/shortening relation
0→ Lift(RSq(r− 1), m)→ Lift(PRSq(r), m)π−→ Lift(PRSq(r), m− 1)→ 0 ,
where π is induced by Pm → Pm−1.
I are (up to equivalence)
cyclic codes if q− 1 and n =qm+1
q−1 are coprimequasi-cyclic codes if q− 1 and n
gcd(n,q−1) are coprime
I admit many explicit and easily computable information sets
Details in:Lifted Projective Reed-Solomon Codes, L., DCC, to appear
10.1007/s10623-018-0552-8
14/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Main results on projective lifted codes
Projective lifted codes...
I are locally correctable, with parameters (` = q + 1, δ, ε = δ/τ), where τ isthe relative correction capability of the small PRS code
I are monomial, with an explicit bijection between the degree sets ofLift(RSq(r− 1), m), Lift(PRSq(r), m) and Lift(PRSq(r), m− 1)
I satisfy the puncturing/shortening relation
0→ Lift(RSq(r− 1), m)→ Lift(PRSq(r), m)π−→ Lift(PRSq(r), m− 1)→ 0 ,
where π is induced by Pm → Pm−1.I are (up to equivalence)
cyclic codes if q− 1 and n =qm+1
q−1 are coprimequasi-cyclic codes if q− 1 and n
gcd(n,q−1) are coprime
I admit many explicit and easily computable information sets
Details in:Lifted Projective Reed-Solomon Codes, L., DCC, to appear
10.1007/s10623-018-0552-8
14/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Main results on projective lifted codes
Projective lifted codes...
I are locally correctable, with parameters (` = q + 1, δ, ε = δ/τ), where τ isthe relative correction capability of the small PRS code
I are monomial, with an explicit bijection between the degree sets ofLift(RSq(r− 1), m), Lift(PRSq(r), m) and Lift(PRSq(r), m− 1)
I satisfy the puncturing/shortening relation
0→ Lift(RSq(r− 1), m)→ Lift(PRSq(r), m)π−→ Lift(PRSq(r), m− 1)→ 0 ,
where π is induced by Pm → Pm−1.I are (up to equivalence)
cyclic codes if q− 1 and n =qm+1
q−1 are coprimequasi-cyclic codes if q− 1 and n
gcd(n,q−1) are coprime
I admit many explicit and easily computable information sets
Details in:Lifted Projective Reed-Solomon Codes, L., DCC, to appear
10.1007/s10623-018-0552-8
14/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Main results on projective lifted codes
Projective lifted codes...
I are locally correctable, with parameters (` = q + 1, δ, ε = δ/τ), where τ isthe relative correction capability of the small PRS code
I are monomial, with an explicit bijection between the degree sets ofLift(RSq(r− 1), m), Lift(PRSq(r), m) and Lift(PRSq(r), m− 1)
I satisfy the puncturing/shortening relation
0→ Lift(RSq(r− 1), m)→ Lift(PRSq(r), m)π−→ Lift(PRSq(r), m− 1)→ 0 ,
where π is induced by Pm → Pm−1.I are (up to equivalence)
cyclic codes if q− 1 and n =qm+1
q−1 are coprimequasi-cyclic codes if q− 1 and n
gcd(n,q−1) are coprime
I admit many explicit and easily computable information sets
Details in:Lifted Projective Reed-Solomon Codes, L., DCC, to appear
10.1007/s10623-018-0552-8
14/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Outline
1. Codes with localityLocality in coding theory, examplesLifted projective Reed-Solomon codesA combinatorial point of view
2. Private information retrieval from transversal designsPrivate information retrieval (PIR)Transversal designs and codesA new PIR constructionInstances
3. Proofs-of-retrievability
4. Conclusion
14/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Lifted codes when r = q− 2
Remark. Assume r = q− 2. Then, RSq(q− 2) is the parity-check code.
a ∈ RSq(q− 2) ⇐⇒q
∑i=1
ai = 0
c ∈ Lift(RSq(q− 2), m) ⇐⇒ ∀L ⊆ Fmq , ∑
x∈Lcx = 0
A non-full-rank parity-check matrix for Lift(RSq(q− 2), m):
∗
0 · · · 0 1 · · · 1 0 · · · 0
∗
points in Fmq
lines in Fmq indicator vector of line L
15/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Lifted codes when r = q− 2
Remark. Assume r = q− 2. Then, RSq(q− 2) is the parity-check code.
a ∈ RSq(q− 2) ⇐⇒q
∑i=1
ai = 0
c ∈ Lift(RSq(q− 2), m) ⇐⇒ ∀L ⊆ Fmq , ∑
x∈Lcx = 0
A non-full-rank parity-check matrix for Lift(RSq(q− 2), m):
∗
0 · · · 0 1 · · · 1 0 · · · 0
∗
points in Fmq
lines in Fmq indicator vector of line L
15/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Block designs
Point-line incidences in the affine space form the affine geometry 2-design.
Definition. A t-design of parameters (n, `, λ) consists in:I a set X of points, |X| = n,I a set B of blocks B ⊂ X, |B| = `
such that every t-set in X appears in exactly λ blocks.
Incidence matrix of a design:
∗
0 · · · 0 1 · · · 1 0 · · · 0
∗
points in X
blocks in B indicator vector of block B
16/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Block designs
Point-line incidences in the affine space form the affine geometry 2-design.
Definition. A t-design of parameters (n, `, λ) consists in:I a set X of points, |X| = n,I a set B of blocks B ⊂ X, |B| = `
such that every t-set in X appears in exactly λ blocks.
Incidence matrix of a design:
∗
0 · · · 0 1 · · · 1 0 · · · 0
∗
points in X
blocks in B indicator vector of block B
16/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Block designs
Point-line incidences in the affine space form the affine geometry 2-design.
Definition. A t-design of parameters (n, `, λ) consists in:I a set X of points, |X| = n,I a set B of blocks B ⊂ X, |B| = `
such that every t-set in X appears in exactly λ blocks.
Incidence matrix of a design:
∗
0 · · · 0 1 · · · 1 0 · · · 0
∗
points in X
blocks in B indicator vector of block B
16/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Codes based on designs, and generalisation
The code based on the design D = (X,B) is the code C = Code(D) ⊆ FXq
admitting the incidence matrix of D as a parity-check matrix.
Code(D) = c ∈ FXq | ∀B ∈ B, c|B ∈ Parity
Remark. The dimension of Code(D) is highly dependent on the field Fq
Let F = (FB ⊆ FBq : B ∈ B) be a family of codes indexed by blocks B ∈ B.
The generalised design-based code based on (D,F ) is
Code(D,F ) := c ∈ FXq | ∀B ∈ B, c|B ∈ FB .
17/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Codes based on designs, and generalisation
The code based on the design D = (X,B) is the code C = Code(D) ⊆ FXq
admitting the incidence matrix of D as a parity-check matrix.
Code(D) = c ∈ FXq | ∀B ∈ B, c|B ∈ Parity
Remark. The dimension of Code(D) is highly dependent on the field Fq
Let F = (FB ⊆ FBq : B ∈ B) be a family of codes indexed by blocks B ∈ B.
The generalised design-based code based on (D,F ) is
Code(D,F ) := c ∈ FXq | ∀B ∈ B, c|B ∈ FB .
17/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Design-based codes and LCCs
Generalised design-based code C = Code(D,F ), where
– D be a t-(n, `+ 1, λ)-design – τ ∈ (0, 12 ) is fixed
– F = (FB : B ∈ B) s.t. every code in F corrects a fraction τ of errors
Algorithm. Local correction of y ∈ FXq at i ∈ X
I Pick uniformly at random a block B ∈ B such that i ∈ B.I Correct y|B as a noisy codeword from FB, and output yi.
Proposition [t = 2]. For every δ < τ/2, Code(D,F ) is a (`, δ, ε)-LCC, where
ε = δ/τ .
Proposition [t = 3]. For every δ < τ − 1/√
2`, Code(D,F ) is a (`, δ, ε)-LCCwhere
ε =δ(1− δ)
(τ − δ)2 ·1`≤ 1
τ2`· δ .
18/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Outline
1. Codes with localityLocality in coding theory, examplesLifted projective Reed-Solomon codesA combinatorial point of view
2. Private information retrieval from transversal designsPrivate information retrieval (PIR)Transversal designs and codesA new PIR constructionInstances
3. Proofs-of-retrievability
4. Conclusion
18/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Outline
1. Codes with localityLocality in coding theory, examplesLifted projective Reed-Solomon codesA combinatorial point of view
2. Private information retrieval from transversal designsPrivate information retrieval (PIR)Transversal designs and codesA new PIR constructionInstances
3. Proofs-of-retrievability
4. Conclusion
18/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Problem statement
Given a remote database F ∈ Fkq and 1 ≤ i ≤ k,
can we retrieve the entry Fi,without leaking information on the index i?
Trivial solution: full download.
Solutions with better communication complexity:I With 1 server, only computational privacy is possible [CGKS95, CG97].I With ` ≥ 2 servers, one can achieve information-theoretic privacy
[CGKS95-98].
19/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Problem statement
Given a remote database F ∈ Fkq and 1 ≤ i ≤ k,
can we retrieve the entry Fi,without leaking information on the index i?
Trivial solution: full download.
Solutions with better communication complexity:I With 1 server, only computational privacy is possible [CGKS95, CG97].I With ` ≥ 2 servers, one can achieve information-theoretic privacy
[CGKS95-98].
19/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Problem statement
Given a remote database F ∈ Fkq and 1 ≤ i ≤ k,
can we retrieve the entry Fi,without leaking information on the index i?
Trivial solution: full download.
Solutions with better communication complexity:I With 1 server, only computational privacy is possible [CGKS95, CG97].I With ` ≥ 2 servers, one can achieve information-theoretic privacy
[CGKS95-98].
19/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Definition of PIR [CGKS95]
Given a file F and ` servers S1, . . . , S`,user U wants to recover Fi privately.
A Private Information Retrieval protocol is a set of algorithms (Q,A,R):
1. U generates a query vectorq = (q1, . . . , q`)← Q(i) andsends qj to server Sj
2. Each server Sj computesaj = A(qj, F|Sj
) and sends itback to U
3. U recovers Fi = R(q, a, i)
U . . .
S1 S2 S`
(q1, . . . , q`)
(a1, . . . , a`)
Information-theoretic privacy: I(i ; qj) = 0, ∀j = 1, . . . , `.
20/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Definition of PIR [CGKS95]
Given a file F and ` servers S1, . . . , S`,user U wants to recover Fi privately.
A Private Information Retrieval protocol is a set of algorithms (Q,A,R):
1. U generates a query vectorq = (q1, . . . , q`)← Q(i) andsends qj to server Sj
2. Each server Sj computesaj = A(qj, F|Sj
) and sends itback to U
3. U recovers Fi = R(q, a, i)
U . . .
S1 S2 S`
(q1, . . . , q`)
(a1, . . . , a`)
Information-theoretic privacy: I(i ; qj) = 0, ∀j = 1, . . . , `.
20/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Definition of PIR [CGKS95]
Given a file F and ` servers S1, . . . , S`,user U wants to recover Fi privately.
A Private Information Retrieval protocol is a set of algorithms (Q,A,R):
1. U generates a query vectorq = (q1, . . . , q`)← Q(i) andsends qj to server Sj
2. Each server Sj computesaj = A(qj, F|Sj
) and sends itback to U
3. U recovers Fi = R(q, a, i)
U . . .
S1 S2 S`
(q1, . . . , q`)
(a1, . . . , a`)
Information-theoretic privacy: I(i ; qj) = 0, ∀j = 1, . . . , `.
20/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Definition of PIR [CGKS95]
Given a file F and ` servers S1, . . . , S`,user U wants to recover Fi privately.
A Private Information Retrieval protocol is a set of algorithms (Q,A,R):
1. U generates a query vectorq = (q1, . . . , q`)← Q(i) andsends qj to server Sj
2. Each server Sj computesaj = A(qj, F|Sj
) and sends itback to U
3. U recovers Fi = R(q, a, i)
U . . .
S1 S2 S`
(q1, . . . , q`)
(a1, . . . , a`)
Information-theoretic privacy: I(i ; qj) = 0, ∀j = 1, . . . , `.
20/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Definition of PIR [CGKS95]
Given a file F and ` servers S1, . . . , S`,user U wants to recover Fi privately.
A Private Information Retrieval protocol is a set of algorithms (Q,A,R):
1. U generates a query vectorq = (q1, . . . , q`)← Q(i) andsends qj to server Sj
2. Each server Sj computesaj = A(qj, F|Sj
) and sends itback to U
3. U recovers Fi = R(q, a, i)
U . . .
S1 S2 S`
(q1, . . . , q`)
(a1, . . . , a`)
Information-theoretic privacy: I(i ; qj) = 0, ∀j = 1, . . . , `.
20/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Motivation
Usual goals for PIR:I Low communication complexityI Low storage overhead for the serversI Low computation complexity for algorithms A (server) andR (user)
Most constructions focus on the download communication complexity
– up to the PIR capacity [SJ17]
– but require Ω(k) computation complexity for each server
We here focus on the computation complexity, crucial for practicality [OG10].
21/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Motivation
Usual goals for PIR:I Low communication complexityI Low storage overhead for the serversI Low computation complexity for algorithms A (server) andR (user)
Most constructions focus on the download communication complexity
– up to the PIR capacity [SJ17]
– but require Ω(k) computation complexity for each server
We here focus on the computation complexity, crucial for practicality [OG10].
21/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Motivation
Usual goals for PIR:I Low communication complexityI Low storage overhead for the serversI Low computation complexity for algorithms A (server) andR (user)
Most constructions focus on the download communication complexity
– up to the PIR capacity [SJ17]
– but require Ω(k) computation complexity for each server
We here focus on the computation complexity, crucial for practicality [OG10].
21/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Outline
1. Codes with localityLocality in coding theory, examplesLifted projective Reed-Solomon codesA combinatorial point of view
2. Private information retrieval from transversal designsPrivate information retrieval (PIR)Transversal designs and codesA new PIR constructionInstances
3. Proofs-of-retrievability
4. Conclusion
21/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Transversal designs
A transversal design TD(`, s) = (X,B,G) is given by:I X a set of points, |X| = n = s`,
I groups G = Gj1≤j≤` satisfying
X =`
äj=1
Gj and |Gj| = s ,
I blocks B ∈ B satisfying– B ⊂ X and |B| = `;– for all i, j ⊂ X, i, j lie:
either in a single group G ∈ G,or in a unique block B ∈ B
. . .
•••••••
•••••••
•••••••
•••••••
G1 G2 G`−1G`
j
i
•
•
•
•
Its incidence matrix (between points and blocks) defines a code.
22/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Transversal designs
A transversal design TD(`, s) = (X,B,G) is given by:I X a set of points, |X| = n = s`,I groups G = Gj1≤j≤` satisfying
X =`
äj=1
Gj and |Gj| = s ,
I blocks B ∈ B satisfying– B ⊂ X and |B| = `;– for all i, j ⊂ X, i, j lie:
either in a single group G ∈ G,or in a unique block B ∈ B
. . .
•••••••
•••••••
•••••••
•••••••
G1 G2 G`−1G`
j
i
•
•
•
•
Its incidence matrix (between points and blocks) defines a code.
22/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Transversal designs
A transversal design TD(`, s) = (X,B,G) is given by:I X a set of points, |X| = n = s`,I groups G = Gj1≤j≤` satisfying
X =`
äj=1
Gj and |Gj| = s ,
I blocks B ∈ B satisfying– B ⊂ X and |B| = `;– for all i, j ⊂ X, i, j lie:
either in a single group G ∈ G,or in a unique block B ∈ B
. . .
•••••••
•••••••
•••••••
•••••••
G1 G2 G`−1G`
j
i
•
•
•
•
Its incidence matrix (between points and blocks) defines a code.
22/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Transversal designs
A transversal design TD(`, s) = (X,B,G) is given by:I X a set of points, |X| = n = s`,I groups G = Gj1≤j≤` satisfying
X =`
äj=1
Gj and |Gj| = s ,
I blocks B ∈ B satisfying– B ⊂ X and |B| = `;– for all i, j ⊂ X, i, j lie:
either in a single group G ∈ G,or in a unique block B ∈ B
. . .
•••••••
•••••••
•••••••
•••••••
G1 G2 G`−1G`
j
i
•
•
•
•
Its incidence matrix (between points and blocks) defines a code.
22/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Example
The transversal design TD(3, 3) represented by:
•••
•••
•••
G1 G2 G3 B =
•••
•••
•••
B1 ∪
•••
•••
•••
B2 ∪
•••
•••
•••
B3
gives an incidence matrix
H =
1 1 1 0 0 0 0 0 00 0 0 1 1 1 0 0 00 0 0 0 0 0 1 1 11 0 0 0 0 1 0 1 00 1 0 1 0 0 0 0 10 0 1 0 1 0 1 0 01 0 0 0 1 0 0 0 10 1 0 0 0 1 1 0 00 0 1 1 0 0 0 1 0
Its rank over F3 is 6 =⇒ the associated code C is a [9, 3]3 code.
23/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Outline
1. Codes with localityLocality in coding theory, examplesLifted projective Reed-Solomon codesA combinatorial point of view
2. Private information retrieval from transversal designsPrivate information retrieval (PIR)Transversal designs and codesA new PIR constructionInstances
3. Proofs-of-retrievability
4. Conclusion
23/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
The PIR scheme
Let C ⊆ Fnq be a code based on a TD(`, s).
• Initialisation. User U encodes F 7→ c ∈ C, and gives c|Gjto server Sj.
• To recover Fi = ci, with i ∈ X:
1. User U randomly picks a block B ∈ B containing i.Then U defines:
qj = Q(i)j :=
unique ∈ B∩Gj if i /∈ Gja random point in Gj otherwise.
2. Each server Sj sends back cqj
3. U recovers
ci = − ∑j: i/∈Gj
cqj = − ∑b∈B\i
cb
24/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
The PIR scheme
Let C ⊆ Fnq be a code based on a TD(`, s).
• Initialisation. User U encodes F 7→ c ∈ C, and gives c|Gjto server Sj.
• To recover Fi = ci, with i ∈ X:
1. User U randomly picks a block B ∈ B containing i.Then U defines:
qj = Q(i)j :=
unique ∈ B∩Gj if i /∈ Gja random point in Gj otherwise.
2. Each server Sj sends back cqj
3. U recovers
ci = − ∑j: i/∈Gj
cqj = − ∑b∈B\i
cb
24/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
The PIR scheme
Let C ⊆ Fnq be a code based on a TD(`, s).
• Initialisation. User U encodes F 7→ c ∈ C, and gives c|Gjto server Sj.
• To recover Fi = ci, with i ∈ X:
1. User U randomly picks a block B ∈ B containing i.Then U defines:
qj = Q(i)j :=
unique ∈ B∩Gj if i /∈ Gja random point in Gj otherwise.
2. Each server Sj sends back cqj
3. U recovers
ci = − ∑j: i/∈Gj
cqj = − ∑b∈B\i
cb
24/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Privacy and parameters
Theorem. This PIR protocol is information-theoretically private.
Proof:– the only server which holds Fi received a random query;
– for each other server Sj, query qj gives no information on the block B which has beenpicked⇒ no information leaks on i.
Features.I communication complexity: ` log s uploaded bits, ` log q dowloaded bitsI computational complexity:
I only 1 read for each server (somewhat optimal)I ≤ ` additions over Fq for the user
I storage overhead: (n− k) log q bits
Question: transversal designs with good k depending on (`, s)?
25/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Privacy and parameters
Theorem. This PIR protocol is information-theoretically private.
Proof:– the only server which holds Fi received a random query;
– for each other server Sj, query qj gives no information on the block B which has beenpicked⇒ no information leaks on i.
Features.I communication complexity: ` log s uploaded bits, ` log q dowloaded bitsI computational complexity:
I only 1 read for each server (somewhat optimal)I ≤ ` additions over Fq for the user
I storage overhead: (n− k) log q bits
Question: transversal designs with good k depending on (`, s)?
25/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Privacy and parameters
Theorem. This PIR protocol is information-theoretically private.
Proof:– the only server which holds Fi received a random query;
– for each other server Sj, query qj gives no information on the block B which has beenpicked⇒ no information leaks on i.
Features.I communication complexity: ` log s uploaded bits, ` log q dowloaded bitsI computational complexity:
I only 1 read for each server (somewhat optimal)I ≤ ` additions over Fq for the user
I storage overhead: (n− k) log q bits
Question: transversal designs with good k depending on (`, s)?
25/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Outline
1. Codes with localityLocality in coding theory, examplesLifted projective Reed-Solomon codesA combinatorial point of view
2. Private information retrieval from transversal designsPrivate information retrieval (PIR)Transversal designs and codesA new PIR constructionInstances
3. Proofs-of-retrievability
4. Conclusion
25/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Instances with geometric designs
TA, the classical affine transversal design:I X = Fm
q , m ≥ 2,I G a set of q disjoint hyperplanes partitionning X,I B = affine lines L secant to each group of G.
Proposition. The code based on TA is identical to the code based on the affinegeometry design (i.e. the lifted code with r = q− 2).
Instances:
– 3.2% storage overhead if #entries ≤ (#servers)2
– 27% storage overhead if #entries ≤ (#servers)3
Question: better instances?
26/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Instances with geometric designs
TA, the classical affine transversal design:I X = Fm
q , m ≥ 2,I G a set of q disjoint hyperplanes partitionning X,I B = affine lines L secant to each group of G.
Proposition. The code based on TA is identical to the code based on the affinegeometry design (i.e. the lifted code with r = q− 2).
Instances:
– 3.2% storage overhead if #entries ≤ (#servers)2
– 27% storage overhead if #entries ≤ (#servers)3
Question: better instances?
26/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Instances with geometric designs
TA, the classical affine transversal design:I X = Fm
q , m ≥ 2,I G a set of q disjoint hyperplanes partitionning X,I B = affine lines L secant to each group of G.
Proposition. The code based on TA is identical to the code based on the affinegeometry design (i.e. the lifted code with r = q− 2).
Instances:
– 3.2% storage overhead if #entries ≤ (#servers)2
– 27% storage overhead if #entries ≤ (#servers)3
Question: better instances?
26/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Instances with geometric designs
TA, the classical affine transversal design:I X = Fm
q , m ≥ 2,I G a set of q disjoint hyperplanes partitionning X,I B = affine lines L secant to each group of G.
Proposition. The code based on TA is identical to the code based on the affinegeometry design (i.e. the lifted code with r = q− 2).
Instances:
– 3.2% storage overhead if #entries ≤ (#servers)2
– 27% storage overhead if #entries ≤ (#servers)3
Question: better instances?
26/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Instances with orthogonal arrays
An orthogonal array OA(t, `, s) of strength t is a list A of words
– of length `,
– over a finite set S, |S| = s,
– such that, for every I ⊂ [1, `] of size t, A|I = St.
Equivalently, an OA(t, `, s) is a code A ⊂ S` with dual distance t + 1.
Construction OA→ TD :I X = S× [1, `]I G = S× i, 1 ≤ i ≤ `
I B = (ci, i), 1 ≤ i ≤ `, c ∈ OA
S = a, b
OA(2, 3, 2) =
a b bb b ab a ba a a
(a, 1) (a, 2) (a, 3)
(b, 1) (b, 2) (b, 3)
27/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Instances with orthogonal arrays
An orthogonal array OA(t, `, s) of strength t is a list A of words
– of length `,
– over a finite set S, |S| = s,
– such that, for every I ⊂ [1, `] of size t, A|I = St.
Equivalently, an OA(t, `, s) is a code A ⊂ S` with dual distance t + 1.
Construction OA→ TD :I X = S× [1, `]I G = S× i, 1 ≤ i ≤ `
I B = (ci, i), 1 ≤ i ≤ `, c ∈ OA
S = a, b
OA(2, 3, 2) =
a b bb b ab a ba a a
(a, 1) (a, 2) (a, 3)
(b, 1) (b, 2) (b, 3)
27/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Instances with orthogonal arrays
An orthogonal array OA(t, `, s) of strength t is a list A of words
– of length `,
– over a finite set S, |S| = s,
– such that, for every I ⊂ [1, `] of size t, A|I = St.
Equivalently, an OA(t, `, s) is a code A ⊂ S` with dual distance t + 1.
Construction OA→ TD :I X = S× [1, `]I G = S× i, 1 ≤ i ≤ `I B = (ci, i), 1 ≤ i ≤ `, c ∈ OA
S = a, b
OA(2, 3, 2) =
a b bb b ab a ba a a
(a, 1) (a, 2) (a, 3)
(b, 1) (b, 2) (b, 3)
27/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Instances with orthogonal arrays
An orthogonal array OA(t, `, s) of strength t is a list A of words
– of length `,
– over a finite set S, |S| = s,
– such that, for every I ⊂ [1, `] of size t, A|I = St.
Equivalently, an OA(t, `, s) is a code A ⊂ S` with dual distance t + 1.
Construction OA→ TD :I X = S× [1, `]I G = S× i, 1 ≤ i ≤ `I B = (ci, i), 1 ≤ i ≤ `, c ∈ OA
S = a, b
OA(2, 3, 2) =
a b bb b ab a ba a a
(a, 1) (a, 2) (a, 3)
(b, 1) (b, 2) (b, 3)
27/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Instances with orthogonal arrays
An orthogonal array OA(t, `, s) of strength t is a list A of words
– of length `,
– over a finite set S, |S| = s,
– such that, for every I ⊂ [1, `] of size t, A|I = St.
Equivalently, an OA(t, `, s) is a code A ⊂ S` with dual distance t + 1.
Construction OA→ TD :I X = S× [1, `]I G = S× i, 1 ≤ i ≤ `I B = (ci, i), 1 ≤ i ≤ `, c ∈ OA
S = a, b
OA(2, 3, 2) =
a b bb b ab a ba a a
(a, 1) (a, 2) (a, 3)
(b, 1) (b, 2) (b, 3)
27/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Resisting collusions
Proposition. For t = 2, an OA(t, `, s) gives a TD(`, s).
Experimentally, for t = 2 and small ` and s, codes based on classical affine TDshave the largest dimension.
For t ≥ 3, we get TDs such that:
for every t-set T of points lying in t different groups,there exists a unique block B ∈ B such that T ⊂ B.
⇒ The PIR protocol resists t− 1 colluding servers.
I OAs with t > 2 exist (e.g. from Reed-Solomon codes)I But associated TDs lead to codes with poor rates except for t `
Details in:Private Information Retrieval from Transversal Designs, L., IEEE TIT, to appear
10.1109/TIT.2018.2861747
28/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Resisting collusions
Proposition. For t = 2, an OA(t, `, s) gives a TD(`, s).
Experimentally, for t = 2 and small ` and s, codes based on classical affine TDshave the largest dimension.
For t ≥ 3, we get TDs such that:
for every t-set T of points lying in t different groups,there exists a unique block B ∈ B such that T ⊂ B.
⇒ The PIR protocol resists t− 1 colluding servers.
I OAs with t > 2 exist (e.g. from Reed-Solomon codes)I But associated TDs lead to codes with poor rates except for t `
Details in:Private Information Retrieval from Transversal Designs, L., IEEE TIT, to appear
10.1109/TIT.2018.2861747
28/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Resisting collusions
Proposition. For t = 2, an OA(t, `, s) gives a TD(`, s).
Experimentally, for t = 2 and small ` and s, codes based on classical affine TDshave the largest dimension.
For t ≥ 3, we get TDs such that:
for every t-set T of points lying in t different groups,there exists a unique block B ∈ B such that T ⊂ B.
⇒ The PIR protocol resists t− 1 colluding servers.
I OAs with t > 2 exist (e.g. from Reed-Solomon codes)I But associated TDs lead to codes with poor rates except for t `
Details in:Private Information Retrieval from Transversal Designs, L., IEEE TIT, to appear
10.1109/TIT.2018.2861747
28/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Resisting collusions
Proposition. For t = 2, an OA(t, `, s) gives a TD(`, s).
Experimentally, for t = 2 and small ` and s, codes based on classical affine TDshave the largest dimension.
For t ≥ 3, we get TDs such that:
for every t-set T of points lying in t different groups,there exists a unique block B ∈ B such that T ⊂ B.
⇒ The PIR protocol resists t− 1 colluding servers.
I OAs with t > 2 exist (e.g. from Reed-Solomon codes)I But associated TDs lead to codes with poor rates except for t `
Details in:Private Information Retrieval from Transversal Designs, L., IEEE TIT, to appear
10.1109/TIT.2018.2861747
28/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Resisting collusions
Proposition. For t = 2, an OA(t, `, s) gives a TD(`, s).
Experimentally, for t = 2 and small ` and s, codes based on classical affine TDshave the largest dimension.
For t ≥ 3, we get TDs such that:
for every t-set T of points lying in t different groups,there exists a unique block B ∈ B such that T ⊂ B.
⇒ The PIR protocol resists t− 1 colluding servers.
I OAs with t > 2 exist (e.g. from Reed-Solomon codes)I But associated TDs lead to codes with poor rates except for t `
Details in:Private Information Retrieval from Transversal Designs, L., IEEE TIT, to appear
10.1109/TIT.2018.2861747
28/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Outline
1. Codes with localityLocality in coding theory, examplesLifted projective Reed-Solomon codesA combinatorial point of view
2. Private information retrieval from transversal designsPrivate information retrieval (PIR)Transversal designs and codesA new PIR constructionInstances
3. Proofs-of-retrievability
4. Conclusion
28/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Proofs-of-retrievability [Juels, Kaliski ’07]
Issue: a client wants to verify if a file stored on a server is still retrievable,with a low communication challenge-response protocol
?a few bits
“can I get my file?”
Additional constraints: unbounded-use, low client storage, low computation
29/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Proofs-of-retrievability [Juels, Kaliski ’07]
Issue: a client wants to verify if a file stored on a server is still retrievable,with a low communication challenge-response protocol
?a few bits
“can I get my file?”
Additional constraints: unbounded-use, low client storage, low computation
29/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
PoR with lifted codes
C = Lift(RSq(r), m)
Assumption: one can compute independent pseudo-random permutations
σ(κ)i ∈ S(Fq), 1 ≤ i ≤ n, κ ∈ K
Initialisation:I User picks κ ∈ K at randomI File F is encoded and permuted as follows:
F 7→ c ∈ C 7→ w = σ(c) = (σ(κ)1 (c1), . . . , σ
(κ)n (cn)) ∈ Fn
q
I User stores κ, server stores w
Verification:I User picks a line L ⊂ Fm
q at random and sends it to the serverI Server reads w|L and sends it back to the user
I User accepts iff σ−1(w|L) ∈ RSq(r)
30/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Results
Informal result (for the lifted code with m = 2):
For every ε ≤ ε0 ' 1, we have:if the server answers correctly to a fraction ≥ 1− ε of the challenges,then with probability ≥ 1−O
( 1n(ε0−ε)2
)the file is extractable from the server.
Details in:New Proofs of Retrievability using Locally Decodable Codes, L. & Levy-dit-Vehel
IEEE International Symposium on Information Theory, 2016
This idea can be generalised to other codes such as design-based codes.
Details in:Generic Constructions of PoRs from Codes and Instantiations, L. & Levy-dit-Vehel
submitted, 2018
31/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Results
Informal result (for the lifted code with m = 2):
For every ε ≤ ε0 ' 1, we have:if the server answers correctly to a fraction ≥ 1− ε of the challenges,then with probability ≥ 1−O
( 1n(ε0−ε)2
)the file is extractable from the server.
Details in:New Proofs of Retrievability using Locally Decodable Codes, L. & Levy-dit-Vehel
IEEE International Symposium on Information Theory, 2016
This idea can be generalised to other codes such as design-based codes.
Details in:Generic Constructions of PoRs from Codes and Instantiations, L. & Levy-dit-Vehel
submitted, 2018
31/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Results
Informal result (for the lifted code with m = 2):
For every ε ≤ ε0 ' 1, we have:if the server answers correctly to a fraction ≥ 1− ε of the challenges,then with probability ≥ 1−O
( 1n(ε0−ε)2
)the file is extractable from the server.
Details in:New Proofs of Retrievability using Locally Decodable Codes, L. & Levy-dit-Vehel
IEEE International Symposium on Information Theory, 2016
This idea can be generalised to other codes such as design-based codes.
Details in:Generic Constructions of PoRs from Codes and Instantiations, L. & Levy-dit-Vehel
submitted, 2018
31/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Outline
1. Codes with localityLocality in coding theory, examplesLifted projective Reed-Solomon codesA combinatorial point of view
2. Private information retrieval from transversal designsPrivate information retrieval (PIR)Transversal designs and codesA new PIR constructionInstances
3. Proofs-of-retrievability
4. Conclusion
31/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Conclusion
I Analysis and generalisation of a family of high-rate locallycorrectable codes, namely lifted Reed-Solomon codes
I Combinatorial formalism for the construction of locally correctablecodes, thanks to block designs
I Application to private information retrieval (PIR)
I Application to proofs of retrievability (PoR)
32/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –
Future works
I PIR with low server computation complexityI 1 server read −→ constant/sublinear number of server reads
I Extend the lifting process to other geometric varietiesI e.g. the Hermitian variety
I Design-based codes allow us to remove probabilistic decodersfrom a definition of locally correctable codes
I “usual” combinatorial coding-theoretic version of LCCsI new constructions? new bounds?
33/33 J. Lavauzelle PhD defense– Codes with locality: constructions and applications to cryptographic protocols –