Robust and Secure Cache-aided Private Linear Function Retrieval from Coded Servers
RRobust and Secure Cache-aided Private LinearFunction Retrieval from Coded Servers
Qifa Yan and Daniela Tuninetti
University of Illinois Chicago, Chicago, IL 60607, USA, Email: { qifa, danielat } @uic.edu Abstract —This paper investigates the ultimate performancelimits of Linear Function Retrieval (LFR) by cache-aided usersfrom distributed coded servers. Each user aims to retrieve alinear function of the files of a library, which are MaximumDistance Separable (MDS) coded and stored at multiple servers.The system needs to guarantee robust decoding in the sense thateach user must decode its demanded function with signals fromany subset of servers whose cardinality exceeds a threshold. Inaddition, the following conditions must be met: (a) the contentof the library must be kept secure from a wiretapper whoobtains all the signals sent by the servers; (b) any subset of userstogether can not obtain any information about the demands ofthe remaining users; and (c) the users’ demands must be keptprivate against all the servers even if they collude. A scheme thatuses the superposition of security and privacy keys is proposedto meet all those conditions. The achieved load-memory tradeoffis the same as that achieved in single-server case scaled by theinverse of the MDS code rate used to encode the files, and thesame optimality guarantees as in single-server setup are obtained.
I. I
NTRODUCTION
Coded caching, introduced by Maddah-Ali and Niesen(MAN) [1], is a technique to reduce the communication loadby leveraging the multicast opportunities created by caches atthe users. The model consists of a single-server, multiple users,and two phases. In the placement phase , the users’ caches arefilled without the knowledge of their future demands. In the delivery phase , when users’ demands are revealed, the serversatisfies them by transmitting coded packets over a sharedlink. It turns out that for a system with N files and K users,the MAN scheme achieves the optimal load-memory tradeoffamong all uncoded placement schemes when N ≥ K [2],and after removing some redundant transmissions, also for N < K [3]. Recently, it was showed that allowing the usersto demand arbitrary linear combinations of the files does notincrease the load compared to single file retrieval [4].In practical systems, content security and demand privacyare both critical aspects. In [5], the content of the files mustbe protected against a wiretapper who obtains the deliveryphase transmissions. We investigated demand-privacy againstcolluding users in [6] for both single file retrieval and linearfunction retrieval, where any subset of users must not obtainany information about the demands of other users, even ifthey exchange the content in their caches. The key idea in [5]and [6] is that users cache, in addition to the content as inthe MAN scheme [1], also some security keys or privacy keys for the MAN uncached part of the files; this is done in astructured way so that each user can retrieve all the multicast Fig. 1: System model messages needed for correct decoding. We investigated thecontent Secure and demand Private Linear Function Retrieval(SP-LFR) problem in [7], For linear function retrieval [4] withsecurity [5] and user-privacy constraints [6]. We designed a keysuperposition scheme to guarantee the security and privacyconditions simultaneously by superposing (i.e., sum together)the security keys and privacy keys. It was showed that theload-memory tradeoff is the same as in the setup with onlycontent security guarantees.Since node failures and erasures arise naturally in anystorage system, redundancy should be introduced [8]. A com-mon erasure coding technique is to use Maximum DistanceSeparable (MDS) codes. An ( H, L ) MDS code encodes L packets into H packets, with the property that upon obtainingany L (out of H ) coded packets one can recover the L information packets. This motivates us to investigate cache-aided LFR from a distributed storage system [9]–[11], as inFig. 1. The model consists of H servers, where each file isstored at the servers in the form of ( H, L ) MDS coded version.Each server is connected to the users via a dedicated sharedlink, but may not reach all of the users. The coding schemeneeds to guarantee that each user can retrieval an arbitrarylinear function of the files from the signals of arbitrary L servers. The security [5] and user-privacy [6] conditions arealso imposed. In addition, the users’ demands must keptprivate against all the servers, even if they exchange theiravailable information, which we refer to as server-privacy.We propose a scheme that builds on the key superpositionidea from [7]. In particular, key superposition is used on theMDS coded packets in the delivery phase. Interestingly, boththe achieved load and converse are increased by a factor HL compared to the the single server case [7], and thus the sameoptimality guarantees of the single-server case continue to holdin the multi-server case. a r X i v : . [ c s . I T ] F e b I. S
YSTEM M ODEL
Let
N, K, L, H be positive integers satisfying L ≤ H . The ( N, K, L, H ) system illustrated in Fig. 1 consists of H servers(denoted by , . . . , H ), where each server is connected to K users (denoted by , . . . , K ) via a dedicated shared-link. Afile library of N files (denoted by W , . . . , W N ∈ F Bq ) arestored at the H servers in the form of an ( H, L ) MDS codeas follows, where B denotes the file length. Each file W n , n ∈ [ N ] , is composed of L equal-size subfiles W n, , . . . , W n,L ∈ F B/Lq and is encoded into H coded subfiles W n, , . . . , W n,H with a given ( H, L ) MDS code with generator matrix G = g , . . . g ,H ... . . . ... g L, . . . g L,H , (1)that is, the coded subfiles are given by W n,h = (cid:88) l ∈ [ L ] g l,h W n,l , ∀ h ∈ [ H ] , n ∈ [ N ] . (2)The N files are mutually independent and uniformly dis-tributed over F Bq , that is, H ( W ) = . . . = H ( W N ) = B, (3a) H ( W , . . . , W N ) = H ( W ) + . . . + H ( W N ) . (3b)Therefore, each subfile or coded subfile is uniformly dis-tributed over F B/Lq . Server h ∈ [ H ] stores the h -th codedsubfile of each file, i.e., W [ N ] ,h := ( W ,h , . . . , W N,h ) .For notational simplicity, for any given vector a =( a , . . . , a N ) (cid:62) ∈ F Nq , we denote the linear combination ofthe files or (coded) subfiles for all l ∈ [ L ] and h ∈ [ H ] as W a := (cid:88) n ∈ [ N ] a n W n , W a ,l := (cid:88) n ∈ [ N ] a n W n,l , (4a) W a ,h := (cid:88) n ∈ [ N ] a n W n,h = (cid:88) l ∈ [ L ] g l,h W a ,l . (4b)Notice that, W a , W a ,l , W a ,h are linear in a , e.g., for any u, v ∈ F q and a , b ∈ F Nq , W u a + v b = uW a + vW b . Moreover,since W n, [ H ] := ( W n, , . . . , W n,H ) is the MDS coded ver-sion of W n, [ L ] := ( W n, , . . . , W n,L ) , ∀ n ∈ [ N ] , by linearitywe have that W a , [ H ] := ( W a , , . . . , W a ,H ) is the MDS codedversion of W a , [ L ] := ( W a , , . . . , W a ,L ) , ∀ a ∈ F Nq , as in (4b).The system operates in two phases as follows. Placement Phase:
The servers can communicate witheach other, and all users can access all servers. To ensure thesecurity condition in (10b), the servers share some randomness V from some finite alphabet V . Each user k ∈ [ K ] generatessome random variable P k from some finite alphabet P k andcache some content Z k as a function of P k , V and the filelibrary W [ N ] . Let the cached content be Z k := ϕ k ( P k , V, W [ N ] ) , ∀ k ∈ [ K ] , (5)for some encoding functions ϕ k : P k × V × F NBq (cid:55)→ F (cid:98) MB (cid:99) q , ∀ k ∈ [ K ] . The quantity M is referred to as memory size . The encoding functions ϕ , . . . , ϕ K are known by theservers, but the randomness P , . . . , P K are kept private bythe corresponding users. Delivery Phase:
Each user k ∈ [ K ] generates a demand d k = ( d k, , . . . , d k,N ) (cid:62) ∈ F Nq , meaning it is interestedin retrieving the linear combination of the files W d k . Thefollowing random variables are independent H ( d [ K ] , W [ N ] , P [ K ] , V )= (cid:88) k ∈ [ K ] H ( d k ) + (cid:88) n ∈ [ N ] H ( W n ) + (cid:88) k ∈ [ K ] H ( P k ) + H ( V ) . (6)User k ∈ [ K ] generates queries Q k, [ H ] := ( Q k, , . . . , Q k,H ) as Q k,h := κ k,h ( d k , Z k ) ∈ F (cid:96) k,h q , ∀ h ∈ [ H ] , (7)for some query functions κ k,h : F Nq × F (cid:98) MB (cid:99) q (cid:55)→ F (cid:96) k,h q , where (cid:96) k,h is the length of the query Q k,h . If any randomness isneeded in the queries, it has to be stored in the cache. Thenuser k ∈ [ K ] sends the query Q k,h to server h ∈ [ H ] .Upon receiving the queries from all the users, server h ∈ [ H ] creates a signal X h as X h := φ h ( V, Q [ K ] ,h , W [ N ] ,h ) , (8)for some encoding function φ h : V × F (cid:80) k ∈ [ K ] (cid:96) k,h q × F NBL q (cid:55)→ F (cid:98) R h B (cid:99) q . The quantity R h , h ∈ [ H ] , is referred to as the loadof server h . The load of the system is defined as R := (cid:88) h ∈ [ H ] R h . (9)A Robust Secure and (user- and server-) Private cache-aidedLinear Function Retrieval (RSP-LFR) scheme must satisfy[Correctness] H ( W d k | X L , d k , Z k ) = 0 , ∀ k ∈ [ K ] , L ⊆ [ H ] : |L| = L, (10a)[Security] I ( W [ N ] ; X [ H ] ) = 0 , (10b)[Server Privacy] I ( d [ K ] ; Q [ K ] , [ H ] , W [ N ] , [ H ] , V ) = 0 , (10c)[User Privacy] I ( d [ K ] \S ; X [ H ] , d S , Z S | W [ N ] ) = 0 , ∀ S ⊆ [ K ] : S (cid:54) = ∅ . (10d) Objective:
A memory-load pair ( M, R ) ∈ [1 , N ] × R + issaid to be achievable if, for any (cid:15) > , there exists a schemesatisfying all the above conditions with memory size less than M + (cid:15) and load less than R + (cid:15) , for some file-length B . Theobjective of this paper is to characterize the optimal load-memory tradeoff of the system, defined as R ∗ ( M ) := inf B ∈ N + (cid:8) R : ( M, R ) is achievable for B (cid:9) . (11)Throughout this paper, we consider the case N ≥ , sincedemand privacy is impossible for N = 1 (i.e., there is onlyone possible file to be demanded). Remark . The con-strains (10a)–(10d) imply the following:1) The correctness condition in (10a) guarantees that eachser can correctly decode its required linear function byreceiving any L -subsets of the transmitted signals. Sinceeach user decodes independently, the available subset ofsignals L need not to be same across the users.2) The security condition (10b) guarantees that a wiretap-per, who is not a user in the system and observes thedelivery signals, can not obtain any information aboutthe contents of the library files. It was proved in [7, Ap-pendix A] that the conditions in (10b) and (10d) imply I ( W [ N ] , d [ K ] ; X [ H ] ) = 0 , that is, the wiretapper havingaccess to X [ H ] in fact can not obtain any informationon both the files and the demands of the users.3) The server-privacy condition in (10c) guarantees that theservers can not obtain any information on the demandsof the users, even if all the servers collude by exchangingtheir stored contents.4) The user-privacy condition in (10d) guarantees thatany subset of users who exchange their cache contentscannot jointly learn any information on the demands ofthe other users, regardless of the file realizations. Remark . It was proved in [5] that,in order to guarantee the correctness condition in (10a) and thesecurity condition in (10b) simultaneously, the memory size M has to be no less than one. Thus the load-memory tradeoffis defined for M ∈ [1 , N ] . Remark . If the demands d , . . . , d K arerestricted to { e , . . . , e N } , where e n ∈ F Nq , n ∈ [ N ] , is thevector with the n -th digit being and all the others zero, theneach user is interested in retrieving one single file. Remark . For case L = 1 and G =[1 , , . . . , , the servers store replicated databases. A schemeto retrieve a single file per user from replicated databaseswhile guaranteeing server-privacy was proposed in [12]. Thisdiffers from our setup, even if we remove the user-privacy andsecurity conditions, since we impose robustness, i.e., each usercan decode from the signal received from of any one server(i.e., L = 1 ). Our set-up does not reduce to the PIR settingin [12] again because of the robustness constraint.III. M AIN R ESULT AND AN E XAMPLE
The following theorem is our main result, achieved by the
Key Superposition RSP-LFR scheme described in Section IV.
Theorem 1.
For an ( N, K, L, H ) system, the lower convexenvelope of the following points is achievable (cid:0) M t , R t ) = (cid:18) t ( N − K , H ( K − t ) L ( t + 1) (cid:19) , t ∈ [0 : K ] . (12) Moreover, this load-memory tradeoff is optimal to within amultiplicative gap of at most in all regimes, except for M ∈ [1 , with N < K .Remark . If H = L = 1 , the system degrades to single-server shared-linksystem, where all the files are stored at the server [1]. In [7], akey superposition scheme was proposed to guarantee the cor-rectness, security, and user privacy conditions simultaneously. The scheme was presented in the Placement Delivery Array(PDA) framework, which was proposed in [13] to find out lowsubpacketization schemes. In particular, it was showed thatschemes based on PDAs describing the MAN scheme achievethe lower convex envelope of the points ( M t , R (cid:48) t ) = (cid:16) t ( N − K , K − tt + 1 (cid:17) , t ∈ [0 : K ] . (13)Notice that, when H/L = 1 , the memory-load pairs in(12) degrade to (13). In this case, each user needs to retrieveinformation from all the servers, and the total load is the sameas that from a single server case (i.e., H = L = 1 ). Moreover,this indicates that, in addition to guaranteeing correctness,security, and user-privacy conditions, the server-privacy condi-tion does not increase the load-memory tradeoff. Moreover, let R ( M ) denote the tradeoff in (12) and R Signle ( M ) the tradeoffin (13), then R ( M ) = HL · R Single ( M ) , i.e., the achieved loadis multi-server systems is the single-server load scaled by theinverse of the MDS code rate.We conclude this section with an example to highlight thekey ideas in the RSP-LFR scheme described in Section IV. Example . Consider the ( N, K, L, H ) = (4 , , , systemwith MDS generator matrix G = (cid:20) (cid:21) . (14)That is, each file W n , n ∈ [ N ] , N = 4 , is split into L = 2 subfiles as W n = ( W n, , W n, ) , and the contents stored atthe H = 3 servers are W [4] , = W [4] , , W [4] , = W [4] , and W [4] , = W [4] , ⊕ W [4] , , respectively.Consider t = 1 . We partition each subfile W n,l into (cid:0) Kt (cid:1) =3 equal-size packets as W n,l = ( W n,l, , W n,l, , W n,l, ) ,and as a result, also for each coded subfile W n,h =( W n,h, , W n,h, , W n,h, ) , where each packet is in F B/ q . Thesystem operates as follows: Placement Phase:
The servers share L (cid:0) Kt (cid:1) = 6 randompackets { V l, J : l ∈ [2] , J ⊆ [3] , |J | = 2 } , which are gener-ated independently and uniformly over F B/ q . Each user k ∈ [3] generates a random vector p k = ( p k, , p k, , p k, , p k, ) (cid:62) ∈ F q and caches Z k = { p k } ∪ { W n,l,k : n ∈ [4] , l ∈ [2] } (15a) ∪{ W p k ,l,j + V l, { j,k } : l ∈ [2] , j ∈ [3] , j (cid:54) = k } . (15b) Delivery Phase:
Let the users’ demands be W d , W d and W d , where d , d , d ∈ F q . Each user k sends the query q k = p k ⊕ d k , (16)to all the servers. Upon receiving the queries q [3] , each server h ∈ [3] sends a signal X h to the users, which is composed ofthe queries q [3] and of the (cid:0) Kt +1 (cid:1) = 3 coded packets Y h, { j,k } = V h, { j,k } + W q j ,h,k + W q k ,h,j , (17)where { j, k } ⊆ [3] and ( V , J , V , J , V , J ) is the MDS codedversion of ( V , J , V , J ) for any J = { j, k } ⊆ [3] . erformance: To show that each user k can decode W d k with signals from any L = 2 servers, we notice that foreach J = { j, k } ⊆ [3] , the packets ( Y , J , Y , J , Y , J ) arethe MDS coded version of ( Y , J , Y , J ) , where Y l, { j,k } = V l, { j,k } + W q j ,l,k + W q k ,l,j . Thus, upon receiving any L = 2 ofthe signals X , X , X , each user k can decode all the codedpackets { Y l, J : l ∈ [2] , J ⊆ [3] , |J | = 2 } . For j ∈ [3] \{ k } and l ∈ [2] , user k decodes W d k ,l,j from Y l, { j,k } since Y l, { j,k } = W d k ,l,j + ( W p k ,l,j + V l, { j,k } ) + W q j ,l,k , (18)where W p k ,l,j + V l, { j,k } is cached by user k by (15b), and W q j ,l,k can be computed by user k from the vector q j in (16)and the cache content in (15a). The security condition isguaranteed since the transmitted signal is the coded versionof ( Y , J , Y , J ) for each J ⊆ [3] with cardinality , and eachsignal is added a random vector uniformly distributed over F B/ q . The server- and user-privacy conditions are guaranteedsince the query q k = p k + d k in (16) does not contain anyinformation about d k , since the vectors p [ K ] are independentlyand uniformly distributed over F q .Note that each packet is of length B . Each user caches packets and vector in F q , and each of the servers send packets and vectors in F q . Since the length of vectors in F q do not scale with B , the achieved memory-load point is ( M, R ) = (12 × , × × ) = (2 , ) .IV. K EY S UPERPOSITION
RSP-LFR S
CHEME
Here we describe the
Key Superposition RSP-LFR Scheme infull generality. The scheme is inspired by the key superpositionscheme for the single-server shared-link model [7].For each t ∈ [ K ] , define Ω t = {I ⊆ [ K ] : |I| = t } . (19)Notice that for t = K in (12), the achievability of ( M K , R K ) = ( N, is trivial. In the following, we describethe scheme for t ∈ { , , . . . , K − } .Firstly, each subfile W n,l is partitioned into (cid:0) Kt (cid:1) equal-sizepackets, denoted by W n,l = { W n,l, I : l ∈ [ L ] , I ∈ Ω t } , ∀ n ∈ [ N ] , l ∈ [ L ] . (20)By (2), each coded subfile W n,h is composed of (cid:0) Kt (cid:1) equal-size packets, i.e., W n,h = { W n,h, I : I ∈ Ω t } , ∀ n ∈ [ N ] , h ∈ [ H ] , (21)where W n,h, I = (cid:80) l ∈ [ L ] g l,h W n,l, I ∈ F B/Lq for all
I ∈ Ω t ,as per (4). The system operates as follows. Placement Phase:
The servers share L (cid:0) Kt +1 (cid:1) securitykeys denoted by { V l, J : l ∈ [ L ] , J ∈ Ω t +1 } , which areindependently and uniformly distributed over F B/ ( L ( Kt ) ) q . Eachuser k ∈ [ K ] generates a vector p k randomly and uniformlyfrom F Nq , and constructs (cid:0) K − t (cid:1) privacy keys { W p k ,l, I : l ∈ [ L ] , I ∈ Ω t , k / ∈ I} . User k ∈ [ K ] caches Z k = { p k } ∪ { W n,l, I : n ∈ [ N ] , l ∈ [ L ] , I ∈ Ω t , k ∈ I} (22a) ∪{ W p k ,l, I + V l, I∪{ k } : l ∈ [ L ] , I ∈ Ω t , k / ∈ I} . (22b) Delivery Phase:
Assume the demand vector of user k ∈ [ K ] is d k , ∀ k ∈ [ K ] . User k ∈ [ K ] generates a query vector q k = p k + d k , and sends it to all the servers, i.e., Q k, = . . . = Q k,H = q k = p k + d k , ∀ k ∈ [ K ] . (23)For each J ∈ Ω t +1 , let ( V , J , . . . , V H, J ) be the MDS codedversion of ( V , J , . . . , V L, J ) with generator matrix G , i.e., V h, J = (cid:80) l ∈ [ L ] g l,h V l, J for all h ∈ [ H ] . Upon receving thequeries q , . . . , q K , server h ∈ [ H ] creates a signal for each J ∈ Ω t +1 , i.e., Y h, J := V h, J + (cid:88) j ∈J W q j ,h, J \{ j } , ∀ h ∈ [ H ] . (24)Notice that ( Y , J , . . . , Y H, J ) is the MDS coded version ofthe ( Y , J , . . . , Y L, J ) with the generator matrix G , where thesignals Y l, J are defined as Y l, J (cid:44) V l, J + (cid:88) j ∈J W q j ,l, J \{ j } , ∀ l ∈ [ L ] . (25)Server h ∈ [ H ] sends the signal X h = { q k : k ∈ [ K ] } ∪ { Y h, J : J ∈ Ω t +1 } (26)to the users via its dedicated shared-link. Correctness in (10a) : We need to show that for each user k ∈ [ K ] , with any L ⊆ [ K ] such that |L| = L , user k candecode W d k , i.e., all the packets { W d k ,l, I : l ∈ [ L ] , I ∈ Ω t } .In fact, for each I ∈ Ω t such that k ∈ I , by (22a),user k has stored all the packets W [ N ] , [ L ] , I , thus it candirectly compute the packets W d k ,l, I for each l ∈ [ L ] . Now,consider any I ∈ Ω t such that k / ∈ I . Let J = I ∪ { k } ,recall that ( Y , J , . . . , Y H, J ) is the MDS coded version of ( Y , J , . . . , Y L, J ) with generator matrix G , by the property ofMDS code, each user can decode all the L coded packets in(25) with any L of the signals Y , J , . . . , Y H, J . Notice thatsince J = I ∪ { k } , the signal Y l, J is given by Y l, I∪{ k } = V l, I∪{ k } + W q k ,l, I + (cid:88) j ∈I W q j ,l, I∪{ k }\{ j } (27a) = W d k ,l, I + V l, I∪{ k } + W p k ,l, I + (cid:88) j ∈I W q j ,l, I∪{ k }\{ j } , (27b)where (27b) follows from q k = p k + d k . Therefore, user k can decode W d k ,l, I from the the signal Y l, I∪{ k } by cancelingthe remaining terms since1) the coded packet V l, I∪{ k } + W p k ,l, I is cached by user k by (22b);2) for each j ∈ I , since k ∈ I ∪ { k }\{ j } , user k cancompute W q j ,l, I∪{ k }\{ j } from the vector q j and thecached packets W [ N ] ,l, I∪{ k }\{ j } by (22a). Remark . From the above decod-ing process, user k can decode its demanded linear functionif for any I ∈ Ω t such that k / ∈ I , user k can receiveany L of the coded signals Y , I∪{ k } , . . . , Y H, I∪{ k } . This isless restrictive than the assumptions in our setup (i.e., eachuser can obtain a fixed subset of signals X L ), since: (i) itallows the available subset L of signals varying over differentransmissions; and (ii) each user k ∈ [ K ] only needs to decodepackets over the signals assocatated to J ∈ Ω t +1 such that k ∈ J . Security in (10b) : We have I ( W [ N ] ; X [ H ] ) (28a) = I ( W [ N ] ; q [ K ] , { Y h, J } h ∈ [ H ] , J ∈ Ω t +1 ) (28b) = I ( W [ N ] ; q [ K ] , { Y l, J } l ∈ [ L ] , J ∈ Ω t +1 ) (28c) = I ( W [ N ] ; q [ K ] ) + I ( W [ N ] ; { Y l, J } l ∈ [ L ] , J ∈ Ω t +1 | q [ K ] ) (28d) = 0 , (28e)where: (28c) holds since ( Y , J , . . . , Y H, J ) is the MDS codedversion of ( Y , J , . . . , Y L, J ) for each J ∈ Ω t +1 , and hencethey determine each other; and (28e) follows since (a) thevectors q [ K ] = d [ K ] + p [ K ] are independent of W [ N ] , and (b) { Y l, J } l ∈ [ L ] , J ∈ Ω t +1 are independent of ( W [ N ] , q [ K ] ) becausethe random variables { V l, J } l ∈ [ L ] , J ∈ Ω t +1 are independentlyand uniformly distributed over F B/ ( L ( Kt ) ) q . Server Privacy in (10c) : We have I ( d [ K ] ; Q [ K ] , [ H ] W [ N ] , [ H ] , V ) (29a) = I ( d [ K ] ; q [ K ] , W [ N ] , V ) (29b) = I ( d [ K ] ; W [ N ] , V ) + I ( d [ K ] ; q [ K ] | W [ N ] , V ) (29c) = 0 , (29d)where: (29b) follows from (23) and the fact W [ N ] , [ H ] and W [ N ] determines each other; and (29d) follows from (6) andthe fact q [ K ] = p [ K ] + d [ K ] are independent of ( d [ K ] , W [ N ] , V ) since the vectors p [ K ] are independent random variablesuniformly distributed over F Nq . User Privacy in (10d) : We have I ( d [ K ] \S ; Z S , X [ H ] , d S | W [ N ] ) (30a) = I ( d [ K ] \S ; Z S , q [ K ] , { Y l, J } l ∈ [ L ] , J ∈ Ω t +1 , d S | W [ N ] ) (30b) = 0 , (30c)where: (30b) follows along similar lines as (28a)–(28c); and(30c) follows since d [ K ] \S = q [ K ] \S − p [ K ] \S is independentof ( Z S , W [ N ] , q [ K ] , d S , { Y h, J } h ∈ [ H ] , J ∈ Ω t +1 ) since p [ K ] \S are independently and uniformly distributed over F Nq . Performance:
By (20), each subfile is split into (cid:0) Kt (cid:1) equal-size packets, each of length B/ ( L (cid:0) Kt (cid:1) ) . By the cachedcontent in (22), each user k caches N L (cid:0) K − t − (cid:1) uncoded packetsin (22a), L (cid:0) K − t (cid:1) coded packets in (22b) and a vecotor oflength N in (22a). Therefore, the achieved memory size is M = inf B ∈ N + B (cid:18) (cid:0) N L (cid:0) K − t − (cid:1) + L (cid:0) K − t (cid:1)(cid:1) BL (cid:0) Kt (cid:1) + N (cid:19) (31) = 1 + t ( N − K . (32)Moreover, by (26), each server sends K vectors of length N and (cid:0) Kt +1 (cid:1) coded packets, thus the load is given by R = inf B ∈ N + HB (cid:18) (cid:0) Kt +1 (cid:1) BL (cid:0) Kt (cid:1) + KN (cid:19) = H ( K − t ) L ( t + 1) . (33) Note that, although there are some redundant signals overthe servers in (26), i.e., the vectors q [ K ] are transmitted byall the servers, by the calculation in (33), further reducing theredundancy does not decrease the load, since the load neededto transmit the vectors q [ K ] does not scale with B . Optimality:
Let R ∗ Single ( M ) be the optimal load-memorytradeoff for a single-server network with N files and K users,where the correctness, security and user privacy conditionsare imposed as in [7]. For any feasible design of caches Z [ K ] and signals X [ H ] in our setup, for any L ⊆ [ H ] , the contents Z [ K ] and signal X (cid:44) X L are a feasible scheme in the singleserver setup. Thus, H ( X L ) B ≥ R ∗ Single ( M ) holds for all L ⊆ [ K ] , |L| = L . Therefore, R ∗ ( M ) ≥ B (cid:88) h ∈ [ H ] H ( X h ) = HB · H (cid:88) h ∈ [ H ] H ( X h ) (34a) ≥ HB · (cid:0) HL (cid:1) (cid:88) L⊆ [ H ] , |L| = L H ( X L ) L (34b) = H · (cid:0) HL (cid:1) (cid:88) L⊆ [ H ] , |L| = L R ∗ Single ( M ) L (34c) ≥ HL · R ∗ Single ( M ) , (34d)where (34b) follows from Han’s inequality [14]. Recall that R ( M ) = HL R Single ( M ) (see Remark 5), hence by (34d), R ( M ) R ∗ ( M ) ≤ R Single ( M ) R ∗ Single ( M ) . (35)Thus, the claimed multiplicative gap result directly followsfrom (35) and the bound for R Single ( M ) R ∗ Single ( M ) in [7, Theorem 3]. Remark . Note that1) If the security keys are removed (i.e., setting V J = for all J ∈ Ω t +1 ), then the scheme degrades to anLFR scheme only guaranteeing server- and user- privacy,which achieves the same memory-load pair as in (12);2) If the privacy keys are removed (i.e., setting p = . . . = p K = ), then the scheme degrades to a LFR schemethat only guarantees security, which achieves the samememory-load pair as in (12);3) If both the security and privacy keys are removed (i.e.,setting V J = for all J ∈ Ω t +1 and p = . . . = p K = ), then the scheme degrades to an ordinaryLFR scheme, which achieves the memory-load pair (cid:0) tNK , H ( K − t ) L ( t +1) (cid:1) . Remark . In the special casesthat the security keys (i.e., cases 1) and 3) in Remark 7) are notused, in the regime N ≤ K , and t ≤ K − N , some redundantsignals determined by the queries q , . . . , q K can be removedfrom each server, similar to the single server cases [4], [6],and better memory-load tradeoff can be achieved.A CKNOWLEDGMENT
This work was supported in part by NSF Award 1910309.
EFERENCES[1] M. A. Maddah-Ali, and U. Niesen, “Fundamental limits of caching,”
IEEETrans. Inf. Theory, vol. 60, no. 5, pp. 2856–2867, May, 2014.[2] K. Wan, D. Tuninetti and P. Piantanida, “An index coding approach tocaching with uncoded cache placement,”
IEEE Trans. Inf. Theory, vol.66, no. 3, pp. 1318–1332, Mar. 2020.[3] Q. Yu, M. A. Maddah-Ali, and A. S. Avestimehr,“The exact rate-memorytradeoff for caching with uncoded prefetching,”
IEEE Trans. Inf. Theory, vol. 64, pp. 1281–1296, Feb. 2018.[4] K. Wan, H. Sun, M. Ji, D. Tuninetti, and G. Gaire, “On the optimalload-memory tradoeff of cache-aided scaler linear function retrieval,”arXiv:2001.03577v1.[5] A. Sengupta, R. Tandon, and T. C. Clancy, “Fundamental limits of cachingwith secure delivery,”
IEEE Trans. Inf. Forensics Security, vol. 10,no. 2,pp. 355–370, Feb. 2015.[6] Q. Yan, and D. Tuninetti, “Fundamental limits of caching for demandprivacy against colluding users,” arXiv:2008.03642.[7] Q. Yan, and D. Tuninetti, “Key superposition simultaneously achievessecurity and privacy in cache-aided linear function retrieval,”arXiv:2009.06000.[8] A. G. Dimakis, K. Ramchandran, Y. Wu, and C. Suh, “A survey onnetwork codes for distributed storage,”
Proc. IEEE, vol. 99, no. 3, pp.476–489, Mar. 2011.[9] K. Banawan and S. Ulukus, “The capacity of private information retrievalfrom coded databases,”
IEEE Trans. Inf. Theory, vol. 64, no. 3, pp. 1945–1956, Mar. 2017.[10] J. Zhu, Q. Yan, C. Qi, and X. Tang, “ A new capacity-achieving privateinformation retrieval scheme with (almost) optimal file length for codedservers,”
IEEE Trans. Inf. Forensics Secur. vol. 15, pp. 1248-1260, 2020.[11] R. Zhou, C. Tian, T. Liu, and H. Sun, “Capacity-achieving privateinformation retrieval codes from mds-coded databases with minimummessage size,”
IEEE Trans. Inf. Theory, vol. 66, no. 8, pp. 4904–4916,Aug. 2020.[12] X. Zhang, K. Wan, H. Sun and M. Ji, “Cache-aided multiuser privateinformation retrieval,”
In proc. 2019 IEEE Int. Sym. Inf. Theory (ISIT) ,Los Angeles, CA, U.S.A, Jun. 2020.[13] Q. Yan, M. Cheng, X. Tang, and Q. Chen, “On the placement deliveryarray design for centralized coded caching scheme,”
IEEE Trans. Inf.Theory, vol. 63, no. 9, pp. 5821–5833, Sep. 2017.[14] T. M. Cover and J. A. Thomas, “Elements of Information Theory,”