On Share Conversions for Private Information Retrieval

Beimel et al. in CCC 12' put forward a paradigm for constructing Private Information Retrieval (PIR) schemes, capturing several previous constructions for k >= 3 servers. A key component in the paradigm, applicable to three-server PIR, is a share conversion scheme from corresponding linear three-party secret sharing schemes with respect to a certain type of "modified universal" relation. In a useful particular instantiation of the paradigm, they used a share conversion from (2, 3)-CNF over Z(m) to three-additive sharing over Z(p)(beta) for primes p(1), P-2, p where p(1)not equal p(2) and m = p(1).p(2). The share conversion is with respect to the modified universal relation C-Sm. They reduced the question of whether a suitable share conversion exists for a triple (p(1), p(2), p) to the (in)solvability of a certain linear system over Z(p). Assuming a solution exists, they also provided a efficient (in m, log p) construction of such a sharing scheme. They proved a suitable conversion exists for several triples of small numbers using a computer program; in particular, p = p(1) = 2, p(2) = 3 yielded the three-server PIR with the best communication complexity at the time. This approach quickly becomes infeasible as the resulting matrix is of size Theta(m(4)). In this work, we prove that the solvability condition holds for an infinite family of (p(1), p(2), p)'s, answering an open question of Beimel et al. Concretely, we prove that if p(1), p(2) > 2 and p = p(1), then a conversion of the required form exists. We leave the full characterization of such triples, with potential applications to PIR complexity, to future work. Although larger (particularly with max (p(1), p(2)) > 3) triples do not yield improved three-server PIR communication complexity via BIKO's construction, a richer family of PIR protocols we obtain by plugging in our share conversions might have useful properties for other applications. Moreover, we hope that the analytic techniques for understanding the relevant matrices we developed would help to understand whether share conversion as above for C-Sm, where m is a product of more than two (say three) distinct primes, exists. The general BIKO paradigm generalizes to work for such Z(m)'s. Furthermore, the linear condition in Beimel et al. generalizes to m's, which are products of more than two primes, so our hope is somewhat justified. In case such a conversion does exist, plugging it into BIKO's construction would lead to major improvement to the state of the art of three-server PIR communication complexity (reducing Communication Complexity (CC) in correspondence with certain matching vector families).