On the Optimal File Size of Capacity-Achieving Byzantine-Resistant Private Information Retrieval Schemes
Stanislav Kruglik, Han Mao Kiah, Son Hoang Dau, Huaxiong Wang

TL;DR
This paper explores how to design efficient private information retrieval systems that resist server collusion and errors while minimizing download costs and file size.
Contribution
The paper introduces PIR schemes with minimal download costs and smallest file size, adaptable to varying numbers of participating servers.
Findings
PIR schemes with minimal download costs and smallest file size are proposed.
A scheme is introduced that adapts to varying numbers of participating servers.
The results extend previous conference findings to handle straggler servers.
Abstract
We consider the problem of designing a Private Information Retrieval (PIR) scheme for n files replicated on k servers that can collude and return incorrect answers. Our goal is to correctly retrieve a specific message while keeping its identity private from the database servers. We focus on minimizing download costs and propose PIR schemes with minimal download costs and the smallest file size (proportional to the number of involved servers). Motivated by the possible presence of stragglers, we extend our previous conference results and propose a scheme in which the number of participating servers may vary.
- —Singapore Ministry of Education Academic Research
- —National Research Foundation, Singapore
- —Infocomm Media Development Authority
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptography and Data Security · Distributed systems and fault tolerance · Peer-to-Peer Network Technologies
1. Introduction
A Private Information Retrieval (PIR) scheme is a tool to retrieve a given file from a database , while keeping its identity private for the database servers [1,2]. This setup has many related practical applications, including protecting the identity of stock market records reviewed by investment funds and efficiently retrieving blockchain transactions for Ethereum and Bitcoin lightweight clients [3,4]. In this paper, we are interested in multi-server PIR settings, in which each of the k servers stores the database, and the client queries each server once. The goal in the classical PIR setting is to keep the identity of the retrieved file private from up to t honest-but-curious servers. In the PIR literature, such a scheme is called a t-private k-server PIR scheme, and this property is known as t-privacy. However, such a setup assumes that servers are honest-but-curious and that they provide correct answers, which cannot be guaranteed in the cloud environment. For example, servers may store outdated databases and, consequently, provide erroneous answers. This case corresponds to the unsynchronized PIR problem in the literature [5]. A more severe case arises when some servers are controlled by an adversary who aims to confuse the user by sending corrupted answers. This scenario is known as the PIR with adversarial servers problem [6].
Motivated by the challenges mentioned above, in this paper we focus on the scenario in which the user can retrieve the correct file of interest in the presence of up to b incorrect responses from servers, known as b-Byzantine resistance [7,8,9,10]. We note that errors introduced by Byzantine servers can be intentional or unintentional; however, in both cases, the user must still be able to retrieve the desired message. In what follows, we focus on the case of an omniscient Byzantine adversary with zero probability of error, while leaving the case of a limited-knowledge adversary with a vanishingly small probability of error, as per [11], for further research.
One of the main performance metrics of PIR schemes is the download rate, defined as the ratio of the retrieved file size to the total amount of information downloaded by the user. The maximum achievable download rate is known under the name of capacity [12]. Maximizing the download rate for PIR schemes in different scenarios is a well-studied scientific problem [1]. The capacity of Byzantine PIR was established in [7], where the authors also proposed a general achievable scheme based on MDS codes. This involves dividing each file into multiple sub-packets, with the number of sub-packets denoted as the sub-packetization. In [7], the scheme had a sub-packetization value of , while the problem of determining its minimum value was posed as an open problem by the authors. Since the proposed construction relies on MDS codes, it requires a sufficiently large finite field size. To take this factor into account, in this paper we focus on the total file size. Note that a large number of field elements makes storage and indexing complicated, while a large field size affects the speed of the involved operations [13]. The main result of this paper is the first capacity-achieving Byzantine-resistant PIR scheme with small file size, which fills the existing gap in the research literature and answers the question posed in [7].
There has been considerable research on reducing the file size and finding its minimum value for different PIR setups in the capacity-achieving regime, where the file size is typically large. The latter includes 1-colluding replicated PIR [14], 1-colluding MDS-coded PIR [15,16,17], and t-colluding replicated PIR [18]. However, to the best of our knowledge, there are no papers that consider a similar problem for Byzantine-resistant PIR. To address this gap, in this paper, we continue our study from [19] and propose a b-Byzantine-resistant k-server PIR scheme attaining asymptotic capacity and with a small file size.
We begin with a t-private PIR scheme based on a recently proposed communication-efficient secret sharing scheme with a small share size from [20]. In this scheme, we represent the whole database as a single vector, and our goal is to privately retrieve certain subsets of its elements. To achieve this, we construct queries such that the desired elements of the vector correspond to the values of a polynomial of a certain degree at specific points. The servers then provide the values of this polynomial at different points, or some function derived from them. In our case, this function is the trace mapping, and we rely on the secret reconstruction algorithms from [20]. To transform this scheme into a Byzantine-resistant setup, inspired by [21], we utilize the idea of constructing a generalized Reed–Solomon code from traces downloaded from servers. The resulting scheme is non-universal, meaning that we have a fixed number of servers with certain restrictions that must participate in the retrieval process. This was described in the conference version of this paper [19]. In this journal version, we generalize the scheme to a universal setup in which there is a finite set of possible values for the number of servers participating in recovery. This makes it possible to configure the scheme based on the current number of available servers. To achieve this, we increase the extension degree of the underlying field and utilize the fact that the extended field can contain several intermediate fields with different extension degrees. Within each of these intermediate fields, the corresponding non-universal scheme can be applied. Since the non-universal scheme is a special case of the universal one, in this paper we present only the universal scheme. We also formally prove that the file size in this scheme is optimal among all capacity-achieving Byzantine-resistant PIR schemes with a sufficiently large number of files.
The rest of this paper is organized as follows: In Section 2, we introduce all of the definitions that we need and list state-of-the-art results. Section 3 is devoted to an explanation of the universal Byzantine-resistant PIR scheme. In Section 4, we derive a lower bound on the file size. Finally, in Section 5, we present a comparison of the proposed scheme with another Byzantine-resistant PIR scheme that attains the capacity for an asymptotically large number of files and allows us to vary the number of participating servers. In Section 6, we provide the conclusions.
2. Preliminaries
2.1. Notations
For any prime power q, we denote the finite field with q elements by and call it the base field. Let be its extension of degree e, and call it the extended field. An extension of the field of degree , where , forms an intermediate field , which is a subfield of . For any we define the trace-mapping function from to as . We note that this is an -linear function. It is clear that can be seen as an -linear space of dimension . We can define an -basis and its trace-dual basis . It is clear that if , and otherwise. By we denote the ring of polynomials over . The minimal polynomial of an element of the finite field is a nonzero monic polynomial of the smallest degree in , such that its value at the point is zero. We refer the reader to [22] for an extensive introduction to finite field theory. By we denote the entropy of a discrete random variable X, and by we denote the mutual information between two discrete random variables X and Y. A comprehensive overview of information theory can be found in [23]. The main notations utilized in this paper are listed in Table 1.
Throughout this paper, we consider a database with n files, each containing s elements of the extended field. The parameter s is the sub-packetization. We represent the database as the vector of length . We define the file and introduce the following database polynomial over with indeterminates :
It is clear that for the indicator vector of length with all zeros except a single one in the position . As a result, to retrieve file , we have to obtain elements . For example, in the case of and , we have two files of two elements, and . The database is , and the database polynomial has the following form: . It is clear that, to recover the file , we need to obtain the values of at the points and .
2.2. k-Server PIR Schemes
Let us formally define the k-server PIR scheme for the replicated database. The user aims to retrieve the file by sending queries to k servers. Upon receiving the query , each server computes the corresponding answer and sends it back to the user. In the Byzantine PIR setting, there exists an unknown set of up to b servers that may provide incorrect answers to queries. With this introduction, we can now formally define k-server t-private b-Byzantine-resistant PIR.
Definition 1(k-server t-private b-Byzantine-resistant PIR). A k-server t-private b-Byzantine-resistant PIR is a scheme that satisfies the following properties:
- 1. (Privacy) The scheme is t-private, i.e., any subset of t or fewer queries does not reveal any information about the identity of the file of interest.
- 2. (Correctness) The scheme is correct and b-Byzantine-resistant, i.e., the user is always able to successfully decode the file of interest from any k queries and corresponding answers even if up to b answers are incorrect. We note that the set of incorrect answers is not known to the user a priori.
Remark 1. By setting , this definition is reduced to a t-private k-server PIR scheme.
The capacity of a single-round k-server t-private b-Byzantine-resistant PIR scheme under the zero probability of incorrect retrieval and omniscient adversary for the case of is shown in [7] to be equal to
Given the large number of files in real-life systems, we are interested in asymptotic capacity values. Therefore, we let , and for the case of , we have the following capacity value of a Byzantine PIR scheme:
2.3. A Communication-Efficient PIR Scheme
Let us adopt a communication-efficient secret sharing scheme from [20] to obtain a k-server t-private PIR scheme with an optimal download rate and sub-packetization . Within the example of Section 2.1, to obtain the file , we deploy a ramp secret sharing scheme with threshold t for the vectors and as secrets from [24]. The latter is a four-dimensional curve that passes through these two vectors and t other random vectors. Each server, as a query, receives the value of this curve at a designated point. As an answer, the server computes the value of the database polynomial at its curve value. These answers are values of a polynomial of degree , and to obtain the file of interest, we need to recover its values at the points corresponding to the secrets. The latter can be performed either by Lagrange interpolation or through the trace-repair framework. For the convenience of the reader, before providing the details of the whole scheme and proving its correctness, let us illustrate the process using servers and the trace-repair framework.
At the beginning, for all components of the file, we compute the values of . Here, is a basis of over , is its trace-orthogonal basis, is the minimal polynomial of over , and and are multipliers of the generalized Reed–Solomon code. Without loss of generality, assume that we download the following traces from servers : . Each trace is an element of . After this, we find and obtain the file .
Scheme : k-server t-private PIR Let t, r, , and k be positive integers satisfying , , where and . Denote by . Let , , and be publicly known non-intersecting sets such that all elements of are roots of distinct monic irreducible polynomials of degree e over .
- Query Generation Algorithm: To retrieve the file , the user randomly generates t random vectors and draws a random degree- curve
that resides in and passes through points . The query to server is . We note that depends on the retrieved index , but we omit the subscript for readability. As introduced earlier, is an indicator vector of length with all zeros except for a single one at position .
-
Answer Generation Algorithm: Upon receiving the query , the server computes , where is the database polynomial over determined in (1). We can observe that , which is a polynomial in of degree , such that for .
-
-Each involved server , responds with
where and
Clearly, when , we have and, as a result, .
- File retrieval algorithm
- -For retrieval from answers from servers, the user applies the Lagrange interpolation formula to recover the polynomial and, as a result, obtains .
- -For retrieval from answers from servers within the set , , , the user prepares a basis for over and its trace-orthogonal basis . Then, for all and , the user chooses polynomials of degree less than d so that
where is the minimal polynomial of over , and
The user retrieves the file of interest by
for all .
Theorem 1. Scheme is a k-server t-private PIR over with retrieval threshold and file size bits that allows retrieval from any servers and achieves the asymptotic capacity (3) for and any given s and r so that , , and for , , and .
Proof. Let us prove privacy and correctness properties according to Definition 1 in case of and show that responses from r servers are enough for file retrieval. The proof is similar to the proof from [20], but for the convenience of the reader, we present it here in full detail.To prove the privacy, we need to show that , for any subset of t servers and any file index . As each element of the vector is encoded separately from other elements, and corresponding random symbols are independent, each component of depends only on corresponding components of indicator vectors and is conditionally independent of everything else. Hence, our scheme is equivalent to the transmission over independent channels [23] and, as a result, we have
It can be easily seen that for each i, are t evaluations of a random polynomial of degree over at different points . Hence, for any given values of , using the Lagrange interpolation formula we can obtain a unique polynomial over such that and . As a result, , and according to (4), the privacy property holds.The property that responses from servers are enough for file retrieval trivially follows from the Lagrange interpolation formula and the fact that responses from servers are values of the polynomial over of degree , so that for . Let us prove the correctness of scheme for any , servers . It is clear that values can be seen as a codeword of Reed–Solomon code of length and dimension r:
where .The dual of is a generalized Reed–Solomon code ([25]), defined as follows:
where for and for .Recall that are roots of distinct monic irreducible polynomials of degree e over . Since is a subfield of , each element of can be represented as value of polynomial of degree less than over in point for all . For each minimal polynomial of of degree d over (see [26] for more details), we have
Let be the basis of over , and is its trace-orthogonal basis. For each and , we can represent the element as the value of function of degree less than d at point . It is clear that ; hence, such functions belong to the dual generalized Reed–Solomon code (5). Also, we have
and
Consequently,
Utilizing (6) and (7), we have
and
Applying the trace-mapping function from to to both sides of Equation (8), and utilizing the facts that , , and for all , , , together with the linearity of the trace-mapping function, we obtain
From the fact that and are trace-orthogonal bases of over , it is clear (see, for example, [22] [Ch. 2]) that
and, hence, all can be retrieved by accessing from all involved servers . The observations that each file consists of s elements of for and the download rate is equal to finish the proof. □
The proposed PIR scheme has a restricted number of servers participating in the retrieval process, namely, . By letting in Scheme , we eliminate the restriction above and obtain the following corollary:
Corollary 1. In case of , Scheme is a k-server t-private PIR over with , file size bits, and a retrieval threshold r that allows the retrieval from any servers and achieves the asymptotic capacity (3) for for any r, so that .
3. Byzantine-Resistant PIR Scheme
Let us construct a k-server PIR scheme with t-colluding and b-Byzantine servers by modifying the construction from Section 2.3. To deal with Byzantine servers, inspired by [21], we modify the protocol by multiplying the responses by specifically selected polynomials so that the server responses form a generalized Reed–Solomon code. Importantly, to ensure the possibility of error correction, we increase the number of required responses so that the codeword formed by them possesses the desired code-distance properties. For the convenience of the reader, before giving the details of the whole scheme and providing a proof of its correctness, let us illustrate the repair process using the trace-repair framework from servers in the presence of up to b incorrect answers from servers.
The pre-computation and download steps remain the same as for the scheme with correct answers from servers. To find the file of interest, before trace reconstruction, we form the following vector from the received traces and decode it as a codeword of a generalized Reed–Solomon code using any decoding algorithm (see, for example, [25]). As a result, we obtain the correct values of the elements of the vector above and can recover the correct values . Further steps remain the same.
Scheme : k-server* t*-private b-Byzantine-resistant PIR Let t, r, , and k be positive integers satisfying , , where and . Denote by . Let , , and be publicly known non-intersecting sets such that all elements of are roots of distinct monic irreducible polynomials of degree e over .
- Query Generation Algorithm: To retrieve the file , the user generates t random vectors and draws a random degree- curve
that resides in and passes through points . The query to server is . We note that depends on the retrieved index , but we omit the subscript for readability. As introduced earlier, is an indicator vector of length with all zeros except for a single one at position .
-
Answer Generation Algorithm: Upon receiving the query , server computes , where is the database polynomial over determined in (1). We can observe that , which is a polynomial in of degree such that for .
-
-Each involved server , responds with
where and
Clearly, when , we have and, as a result, .
- File Retrieval Algorithm
- -For retrieval using answers from servers, the user applies a Reed–Solomon decoding algorithm to recover the polynomial and, as a result, obtains (see, for example, [25]).
- -For retrieval using answers from the set , , , the user decodes the vector
where is the minimal polynomial of over , as a codeword of generalized Reed–Solomon code over , using any decoding algorithm (see, for example, [25]), and extracts the correct values of for .Next, the user prepares a basis for over and its trace-orthogonal basis . After that, for all and , the user chooses polynomials of degree less than d so that
where is the minimal polynomial of over and
The user retrieves the file of interest by
for all .
Theorem 2. Scheme is a k-server t-private b-Byzantine-resistant PIR over with retrieval threshold and file size that allows the retrieval from any servers and achieves the asymptotic capacity (3) for any given s and r so that , and for , and .
Proof. Let us prove the privacy and correctness properties according to Definition 1. The proof of privacy is identical to that of Theorem 1 and is therefore omitted here. We will now demonstrate the correctness property, beginning with the case where . The property that responses from servers are enough for file retrieval follows from the fact that values can be seen as a codeword of Reed–Solomon code of length and dimension :
As a result, with values of the polynomial in any points, we can correctly interpolate it in the presence of b incorrect values utilizing a Reed–Solomon decoding algorithm (see, for example, [25]).Let us prove the correctness of scheme for the case of , servers . It is clear that values can be seen as a codeword of Reed–Solomon code of length and dimension :
where .The dual of is a generalized Reed–Solomon code , defined as follows:
where for and for .Recall that are roots of distinct monic irreducible polynomials of degree e over . Since is a subfield of , each element of can be represented as a polynomial value of degree less than over in point for all . For each minimal polynomial of of degree d over (see [26] for more details), we have
Let be the basis of over , and let be its trace-orthogonal basis. For each and , we can represent the element as the value of function of degree less than d at point . It is clear that ; hence, such functions belong to the dual generalized Reed–Solomon code (9). Also, we have
and
Consequently,
Employing (10) and (11), we have
and
Applying the trace-mapping function from to to both sides of Equation (12), and utilizing the facts that , , and for all , , , together with the linearity of the trace-mapping function, we obtain
From the fact that and are trace-orthogonal bases of over , it is clear (see, for example, [22] [Ch. 2]) that
and, hence, all can be recovered by accessing from all involved servers .Let us show that we can correctly recover in case of at most b incorrect values of . The main idea here is to formally show that the elements form a codeword of a generalized Reed–Solomon code over of length and dimension . To do so, let us define the functions .It is clear that for all and . Hence, for all , we know that and, as a result, these functions belong to the generalized Reed–Solomon code (9), which is dual to the original Reed–Solomon code. We can write down the duality condition
As and , applying the trace-mapping function from to to both sides of Equation (13) and utilizing its linearity, we have
where , and all multipliers in each term belong to for all . Applying [21] [Proposition 1], we find that the elements form a codeword of generalized Reed–Solomon code over that can correct up to b errors, and users can retrieve the correct values of from server responses for all by employing any generalized Reed–Solomon decoder (see, for example [25]). The observations that each file consists of s elements of for and that the download rate is equal to finish the proof. □
The proposed PIR scheme has a restricted number of servers participating in the retrieval process, namely, . By letting in Scheme , we eliminate the restriction above and obtain the following corollary:
Corollary 2. In case of , Scheme is a k-server t-private b-Byzantine-resistant PIR over with , file size bits, and a retrieval threshold r that allows the retrieval from any servers and achieves the asymptotic capacity (3) for any r so that .
4. Lower Bound on the File Size
In this section, following the derivations in [20] [Section V], we describe the class of Byzantine-resistant PIR schemes and demonstrate that our schemes belong to this class and achieve optimal file size. In what follows, we consider a k-server b-Byzantine-resistant PIR scheme with a retrieval threshold r, deployed over the extended field with base field size and sub-packetization s. We omit these details within this section for clarity purposes.
Definition 2(Balanced Byzantine-resistant PIR). The Byzantine-resistant PIR scheme is balanced if, for any permitted set of involved servers with , the user downloads a single element of the same subfield from each involved server.
Definition 3(Rate-optimal Byzantine-resistant PIR). The Byzantine-resistant PIR scheme is rate-optimal if, for any file , we have .
After introducing the necessary definitions, we can formulate the main theorem of this section:
Theorem 3. For a balanced rate-optimal Byzantine-resistant PIR scheme that achieves the asymptotic capacity (3) and admits the retrieval from any servers with the retrieval threshold , the following hold:
Proof. As the considered scheme is rate-optimal, . Since the considered scheme is balanced, we assume that the user downloads a single element of from each involved server , . At the same time, the scheme achieves the asymptotic capacity (3), and the download cost is optimal. By writing this down along with the total amount of data downloaded from the servers, we can state the following equality:
This leads to . Since e is a positive integer and is a subfield of , then divides e and, hence,
Since Equation (14) holds for all and , then and, as a result,
□
Corollary 3. The scheme is a balanced capacity-achieving rate-optimal Byzantine-resistant PIR with optimal file size for an asymptotically large number of files.
5. Comparison
In this section, we compare PIR schemes and in the case where with Staircase-PIR from [27]. Staircase-PIR allows retrieval without restrictions on the number of participating servers and achieves the asymptotic capacity given in (3). It also does not have a sub-packetization level exponential in the number of files n, as in the previous capacity-achieving scheme [7], making it the best scheme for comparison. We denote the latter as scheme and present its parameters in the following theorem:
Theorem 4. Scheme is k-server t-private PIR over with file size bits and retrieval threshold that allows retrieval from any servers and achieves the asymptotic capacity (3) for and any given r so that .
Scheme assumes that the servers are honest-but-curious and provide correct answers. To add the b-Byzantine resistance, we can utilize error-correction capabilities of underlining staircase codes in the same way as shown in [28]. We present the parameters of the resulting scheme in the following theorem:
Theorem 5. Scheme is k-server t-private b-Byzantine-resistant PIR over with file size bits and retrieval threshold , which achieves the asymptotic capacity (3) for any given r so that .
Let us start with numerical comparison. Let us consider a PIR scheme with 27 servers deployed over with and , allowing recovery from servers. Each file consists of components. As a result, each file in scheme is eight elements of or 240 bits, while each file in scheme is eight vectors of 48 elements of or 1920 bits. Let us move to the retrieval process in the case of 27 involved servers. In the case of , we need to download 27 traces of that are elements of or 270 bits and decode one codeword of generalized Reed–Solomon code over . In the case of , we need to download eight vectors of length 54 over or 2160 bits and decode eight codewords of generalized Reed–Solomon code over . The same holds for other parameter values. For the convenience of the reader, we provide the values of the field size, file size, and download cost for the case of participating servers in each scheme in Table 2. We denote , , and measure all parameters in bits.
Although our schemes ( and ) are deployed over extended fields, we operate on single field elements and perform operations over the extended field. These operations can therefore be optimized [13]. In contrast, competing schemes ( and ) are deployed over base-field operands with vectors whose lengths are larger than the extension degrees in our case. This makes them slower and limits potential optimization approaches. Another advantage of our scheme is that, in Byzantine recovery, we decode only one generalized Reed–Solomon code in an intermediate field, which does not significantly increase complexity over the base field. In comparison, must decode several generalized Reed–Solomon codes, making it more computationally heavy than our approach.
6. Conclusions
We considered the problem of designing a Private Information Retrieval scheme resistant to the adversarial behavior of servers. Our focus was on minimizing download costs, and we proposed a capacity-achieving scheme with a small file size for an asymptotically large number of files of fixed size. To address the possible presence of slow or unresponsive servers, whose number is not known or may change over time, we proposed schemes in which the number of servers participating in retrieval may vary, extending the non-universal results presented in the conference. Additionally, we formally proved the optimality of the file size in the proposed schemes that significantly affect implementation complexity. Extending the proposed framework to a finite number of files, as well as considering other Byzantine PIR models, including those with a limited-knowledge adversary or vanishing probability of error, remains an interesting open problem.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Ulukus S. Avestimehr S. Gastpar M. Jafar S.A. Tandon R. Tian C. Private Retrieval, Computing, and Learning: Recent Progress and Future Challenges IEEE J. Sel. Areas Commun.20224072974810.1109/JSAC.2022.3142358 · doi ↗
- 2Ostrovsky R. Skeith W.E. A Survey of Single-Database Private Information Retrieval: Techniques and Applications Public Key Cryptography (PKC)Springer Berlin/Heidelberg, Germany 2007393411
- 3Qin K. Hadass H. Gervais A. Reardon J. Applying private information retrieval to lightweight bitcoin clients Proceedings of the 2019 Crypto Valley Conference on Blockchain Technology (CVCBT)Rotkreuz, Switzerland 24–26 June 20196072
- 4Xie Y. Zhang C. Wei L. Niu Y. Wang F. Liu J. A privacy-preserving Ethereum lightweight client using PIR Proceedings of the 2019 IEEE/CIC International Conference on Communications in China (ICCC)Changchun, China 11–13 August 201910061011
- 5Fanti G. Ramchandran K. Efficient Private Information Retrieval Over Unsynchronized Databases IEEE J. Sel. Top. Signal Process.201591229123910.1109/JSTSP.2015.2432740 · doi ↗
- 6Beimel A. Stahl Y. Robust information-theoretic private information retrieval J. Cryptol.20072029532110.1007/s 00145-007-0424-2 · doi ↗
- 7Banawan K. Ulukus S. The Capacity of Private Information Retrieval from Byzantine and Colluding Databases IEEE Trans. Inf. Theory 2019651206121910.1109/TIT.2018.2869154 · doi ↗
- 8Kurosawa K. How to Correct Errors in Multi-server PIR Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security Kobe, Japan 8–12 December 2019564574
