An Ω(n1/3) Lower Bound for Bilinear Group Based PIR
Download
Report
Transcript An Ω(n1/3) Lower Bound for Bilinear Group Based PIR
Codes with local decoding procedures
Sergey Yekhanin
Microsoft Research
Error-correcting codes: paradigm
Sender
Receiver
π β πΉ2π
E(π) β πΉ2π
E(π) +noise
π
0110001
011000100101
01*00*10010*
0110001
Encoder
Channel
Decoder
Erases up to π
coordinates.
β’ The paradigm dates back to 1940s (Shannon / Hamming)
β’ One limitation: recovering a single message coordinate requires
processing all corrupted codeword
Local decoding: paradigm
π β πΉ2π
0110001
E(π) β πΉ2π
E(π) +noise
011000100101
01*00*10010*
Encoder
ππ
1
Channel
Local
Decoder
Erases up to π
coordinates.
Reads up to π
coordinates.
Local decoder runs in time much smaller than the message length!
β’ First account: Reedβs decoder for Mullerβs codes (1954)
β’ Implicit use: (1950s-1990s)
β’ Formal definition and systematic study (late 1990s) [Levinβ95, STVβ98, KTβ00]
ο§ Original applications in computational complexity theory
ο§ Cryptography
ο§ Most recently used in practice to provide reliability in distributed storage
(Microsoft Azure, Windows Server, Windows, Hadoop, etc.)
Local decoding: example
E(X)
X1
X
X1
X2
X3
X1 X2
X2
X1 X3
X1 X2 X3
Message length: k = 3
Codeword length: n = 7
Erased locations: π = 3
Locality: π = 2
X3
X2 X3
Local decoding: example
E(X)
X1
X
X1
X2
X3
X1 X2
X2
X1 X3
X1 X2 X3
Message length: k = 3
Codeword length: n = 7
Erased locations: π = 3
Locality: π = 2
X3
X2 X3
Local decoding: Decoding tuples for X1
E(X)
X1
X2
X3
X
X1
X2
X3
X1ο
X2
X1ο
X3
X1ο
X2ο
X3
X2ο
X3
Local decoding: Decoding tuples for X2
E(X)
X1
X2
X3
X
X1
X2
X3
X1ο
X2
X1ο
X3
X1ο
X2ο
X3
X2ο
X3
Codes with local decoding
Setting: Encode π dimensional messages to π dimensional codewords.
Main parameters: Redundancy π β π, locality π, and noise level π.
Goal: Understand the true shape of the tradeoff between redundancy and
locality, for different settings of noise. (e.g., π = πΏπ, ππ , π 1 .)
Applications in
crypto / complexity
ππ
(log π)π
Multiplicity
codes
Local
reconstruction
codes
Projective
geometry
codes
Locally decodable codes
π
Applications to
data storage
Reed Muller
codes
Matching
vector
codes
π(1)
π(1)
ππ
πΏπ
π
Taxonomy of known families of codes
Plan
β’ Part I: (Locally decodable codes)
β’ Private Information Retrieval (PIR) schemes
β’ PIR schemes from smooth codes
β’ Reed Muller codes
β’ Part II: (Codes with locality for distributed data storage)
β’ Erasure coding for data storage
β’ Local reconstruction codes for data storage
β’ Constructions and limitations
Part I: Locally decodable codes
Smooth codes
E(X)
X
X1
X2
c1
β¦
Xk
c1
ci
c5
β¦
c4
c7
c8
c2
c6
c3
cj
cn
Definition: Consider a code πΈ that encodes πβdimensional messages π to
π βdimensional codewords πΈ(π). For every π in [π], we have a family of
decoding π βtuples π·π. We say that E is π βsmooth if for each π in [π],
π βtuples in π·π partition the set [π].
Note: If the code πΈ is π βsmooth; then each Xπ can be recovered by
π
reading π coordinates after π = β 1 erasures in πΈ(π).
π
Private information retrieval
[CGKS]
Protocols that allow users to privately retrieve items from replicated DBs
XβE(X)
Protocol:
β’
β’
β’
β’
β’
β¦
XβE(X)
Each server encodes the π-bit
database π with the same π-query
smooth code
The user interested in ππ, picks a random π-tuple π from π·π
The user sends π elements of π to π different servers
Servers respond with respective coordinates of πΈ(π)
User finds out ππ
(Each server observes a sample from a uniform distribution on [π].)
Private information retrieval
Properties of the protocol:
β’ Information theoretic privacy β smoothness
β’ Number of DB replicas needed β locality
β’ Communication complexity β codeword length
Short smooth codes with low query
complexity yield efficient PIR schemes.
Example:
3-server schemes with 2π log π
-communication to access an π-bit DB.
[Dvir Gopiβ 2014]: 2-server scheme
with the same communication.
Reed Muller codes
β’
Parameters: π, π, π = π β 2.
β’
Codewords: evaluations of degree π polynomials in π variables over πΉπ .
β’
Polynomial π β πΉπ π§1 , β¦ , π§π , deg f β€ π yields a codeword: π(π₯)
β’
Encoder is systematic.
β’
Parameters: π = π π , π =
β’
π+π
.
π
We argue that the code is π-smooth for π = π β 1.
π₯βπΉππ
Reed Muller codes: local decoding
β’
Key observation: Restriction of a codeword to an affine line yields an
evaluation of a univariate polynomial π πΏ of degree at most π.
q, m , d .
β’ Decoding tuples for the value at π₯:
β Consider all affine lines through π₯.
β Use polynomial interpolation.
πΉππ
π₯
β’ Smooth code: Affine lines partition the space.
Decoder reads π β 1 coordinates.
Reed Muller codes: parameters
π = ππ ,
π=
π+π
,
π
π = π β 2,
Setting parameters:
π = π β 1,
1
πβ1
β’ q = π 1 , π β β:
π = π 1 , π = exp π
β’ q = π2
π = (log π)2 , π = ππππ¦ π .
βΆ
β’ q β β, π = π 1 :
π = πΏπ.
.
π = ππ , π = π π .
Better
codes are
known
Reducing codeword length of locally decodable codes is a major open problem.
Part II: Distributed storage
Data storage
β’ Store data reliably
β’ Keep it readily available for users
Data storage: Replication
β’ Store data reliably
β’ Keep it readily available for users
β’ Very large overhead
β’ Moderate reliability
β’ Local recovery:
Lose one machine, access one
Data storage: Erasure coding
β’ Store data reliably
β’ Keep it readily available for users
β¦
β¦
β¦
β’ Low overhead
β’ High reliability
β’ No local recovery:
Loose one machine, access π
π data chunks
π β π parity chunks
Need: Erasure codes with local decoding
Codes for data storage
X1
X2
β¦
Xk
P1
β¦
Pn-k
β’ Goals:
β’ (Cost) minimize the number of parities.
β’ (Reliability) tolerate any pattern of h + 1 simultaneous failures.
β’ (Availability) recover any data symbol by accessing at most π other symbols
β’ (Computational efficiency) use a small finite field to define parities.
Local reconstruction codes
β’ Def: An (π, β) β Local Reconstruction Code (LRC) encodes π symbols to π symbols, and
β’ Corrects any pattern of β + 1 simultaneous failures;
β’ Recovers any single erased data symbol by accessing at most π other symbols.
Local reconstruction codes
β’ Def: An (π, β) β Local Reconstruction Code (LRC) encodes π symbols to π symbols, and
β’ Corrects any pattern of β + 1 simultaneous failures;
β’ Recovers any single erased data symbol by accessing at most π other symbols.
β’ Theorem[GHSY]: In any (π, β) β (LRC), redundancy π β π satisfies π β π β₯
π
π
+ β.
Local reconstruction codes
β’ Def: An (π, β) β Local Reconstruction Code (LRC) encodes π symbols to π symbols, and
β’ Corrects any pattern of β + 1 simultaneous failures;
β’ Recovers any single erased data symbol by accessing at most π other symbols.
β’ Theorem[GHSY]: In any (π, β) β (LRC), redundancy π β π satisfies π β π β₯
π
π
+ β.
β’ Theorem[GHSY]: If π π and β < π + 1; then any (π, β) β LRC has the following topology:
Light
parities
Data symbols
Heavy
parities
β¦
L1
X1
β¦
Lg
Xr
β¦
Xk-r
H1
β¦
Hh
β¦
Local
group
Xk
Local reconstruction codes
β’ Def: An (π, β) β Local Reconstruction Code (LRC) encodes π symbols to π symbols, and
β’ Corrects any pattern of β + 1 simultaneous failures;
β’ Recovers any single erased data symbol by accessing at most π other symbols.
β’ Theorem[GHSY]: In any (π, β) β (LRC), redundancy π β π satisfies π β π β₯
π
π
+ β.
β’ Theorem[GHSY]: If π π and β < π + 1; then any (π, β) β LRC has the following topology:
Light
parities
Data symbols
Heavy
parities
β¦
L1
X1
β¦
Lg
Xr
β¦
Xk-r
H1
β¦
Hh
β¦
Local
group
Xk
β’ Fact: [HCL] There exist (π, β) β LRCs with optimal redundancy over a field of size π + β.
Reliability
Set π = 8, π = 4, and β = 3.
L1
X1
X2
L2
X3
X5
X4
H1
H2
H3
X6
X7
X8
Reliability
Set π = 8, π = 4, and β = 3.
L1
X1
X2
L2
X3
X5
X4
H1
β’ All 4-failure patterns are correctable.
H2
H3
X6
X7
X8
Reliability
Set π = 8, π = 4, and β = 3.
L1
X1
X2
L2
X3
X5
X4
H1
H2
β’ All 4-failure patterns are correctable.
β’ Some 5-failure patterns are not correctable.
H3
X6
X7
X8
Reliability
Set π = 8, π = 4, and β = 3.
L1
X1
X2
L2
X3
X5
X4
H1
H2
β’ All 4-failure patterns are correctable.
β’ Some 5-failure patterns are not correctable.
β’ Other 5-failure patterns might be correctable.
H3
X6
X7
X8
Reliability
Set π = 8, π = 4, and β = 3.
L1
X1
X2
L2
X3
X5
X4
H1
H2
β’ All 4-failure patterns are correctable.
β’ Some 5-failure patterns are not correctable.
β’ Other 5-failure patterns might be correctable.
H3
X6
X7
X8
Combinatorics of correctable failure patterns
Def: A regular failure pattern for a (π, β)-LRC is a pattern that can be obtained by failing
at most one symbol in each local group and β extra symbols.
L1
X1
X2
L2
X3
X4
H1
X5
H2
X6
L1
X7
X8
X1
X2
H3
L2
X3
X4
H1
X5
H2
X6
H3
Theorem:
β’ If a failure pattern that is not regular; then it is not correctable by any LRC.
β’
There exist LRCs that correct all regular failure patterns.
X7
X8
Maximally recoverable codes
Def: An (π, β)-LRC is maximally recoverable if it corrects all regular failure patterns.
Theorem: [BHH] Maximally recoverable (π, β)-LRCs exist.
Proof sketch: Pick the coefficients in heavy parities at random from a large finite field.
Asymptotic setting: β = π 1 , π = π 1 , π β β.
Random choice needs a field of size at least [KM]: Ξ© π ββ1 .
The tradeoff: Larger fields allow for more reliable codes up to maximal recoverability.
We want both: small field size (efficiency) and maximal recoverability.
Explicit maximally recoverable codes
Theorem[GHJY]: There exist maximally recoverable (π, β)-LRC over a field of size
ππ
1
ββ1 1β π
2
.
Comparison:
β’ Our alphabet grows as π π ββ1 or slower.
β’ Beats random codes for small β and large β.
β’ Our only lower bound for the alphabet size thus far is π + 1 independent of β.
Code construction
We use dual constraints to specify the code.
π
π
ππ
ππ
β¦
ππ
π³π
1
1
β¦
1
1
β¦
ππβπ ππβπ+π
1
1
π
π
+ 1 local groups.
β¦
ππ
π³π/π
β¦
1
1
π―π
π―π
β¦
h
πΌππ
2
πΌππ
β¦
ββ1
2
πΌππ
Element πΌππ appears in the j-th column of the i-th group.
We consider a sequence field extensions πΉ2 β πΉ2π β πΉ2π .
{ππ } β πΉ2π form a basis over πΉ2 .
{ππ } β πΉ2π are β-independent over πΉ2π .
πΌππ =ππ × ππ .
π―π
Erasure correction
k=8, r=4, h=2.
ππ
ππ
ππ
ππ
π³π
1
1
1
1
1
ππ
ππ
ππ
ππ
π³π
π―π π―π π―π
1
1
1
1
1
1
1
1
1
πΌ11 πΌ12
πΌ21 πΌ22
πΌ31
πΌ11 πΌ12 πΌ21 πΌ22 πΌ31
2
2
πΌ11
πΌ12
2
2
πΌ21
πΌ22
2
πΌ31
2
2
2
2
2
πΌ11
πΌ12
πΌ21
πΌ22
πΌ31
4
4
πΌ11
πΌ12
4
4
πΌ21
πΌ22
4
πΌ31
4
4
4
4
4
πΌ11
πΌ12
πΌ21
πΌ22
πΌ31
(πΌ11 +πΌ12 )
(πΌ21 +πΌ22 )
πΌ31
πΌ11 +πΌ12
πΌ21 +πΌ22
πΌ31
2
2
πΌ11
+πΌ12
2
2
πΌ21
+πΌ22
2
πΌ31
(πΌ11 +πΌ12 ) 2 (πΌ21 +πΌ22 )2
2
πΌ31
4
4
πΌ11
+πΌ12
4
4
πΌ21
+πΌ22
4
πΌ31
(πΌ11 +πΌ12 ) 4 (πΌ21 +πΌ22 )4
4
πΌ31
(πΌ11 +πΌ12 )
(πΌ21 +πΌ22 )
πΌ31
(π1 + π2 ) × π1
(π1 + π2 ) × π2
π1 × π3
Looking forward
β’ Codes with locality allow super-fast recovery of individual message
coordinates from corrupted codewords.
β’ Such codes are used to provide reliability in distributed storage
and have many applications in theoretical computer science.
β’ Many questions regarding these codes remain wide open:
β π=Ξ© π :
β’ π = 3:
π 2 β€ π π β€ 22
log π
.
β’ π = π π(1) : π β€ n(k) β€ π(π).
- π = 1: π(π) is well understood. Maximally recoverable codes?
- π = π 1 : Tight bounds for π π ?