Towards Characterizing the Download Cost of Cache-Aided Private Updating ^†

Abstract

We consider the problem of privately updating a message out of K messages from N replicated and non-colluding databases where a user has an outdated version of the message ${\hat{W}}_{\theta }$ of length L bits that differ from the current version $W_{\theta }$ in at most f bits. The user also has a cache containing coded combinations of the K messages (with a pre-specified structure), which are unknown to the N databases (unknown prefetching). The cache Z contains ℓ linear combinations from all K messages in the databases with $r=\frac{\mathcal{l}}{L}$ being the caching ratio. The user needs to retrieve $W_{\theta }$ correctly using a private information retrieval (PIR) scheme without leaking information about the message index $\theta$ to any individual database. Our objective is to jointly design the prefetching (i.e., the structure of said linear combinations) and the PIR strategies to achieve the least download cost. We propose a novel achievable scheme based on syndrome decoding where the cached linear combinations in Z are designed to be bits pertaining to the syndrome of $W_{\theta }$ according to a specific linear block code. We derive a general lower bound on the optimal download cost for $0\le r\le 1$, in addition to achievable upper bounds. The upper and lower bounds match for the cases when r is exceptionally low or high, or when $K=3$ messages for arbitrary r. Such bounds are derived by developing novel cache-aided arbitrary message length PIR schemes. Our results show a significant reduction in the download cost if $f<{\displaystyle \frac{L}{2}}$ when compared with downloading $W_{\theta }$ directly using typical cached-aided PIR approaches.

1. Introduction

The problem of private information retrieval (PIR), introduced by Chor et al. in [1], seeks to find the most efficient way for a user to privately retrieve a single message from a set of K messages from N fully replicated and non-communicating databases. PIR schemes are designed to download a mixture of all K messages, with the least number of overhead downloaded bits, such that no single database can infer the identity of the desired message. The user accomplishes this task by sending a query to each database. The databases respond truthfully to the submitted query with an answer string. The user can then reconstruct the desired message from jointly decoding the returned answer strings. Recently, the problem of PIR has received growing interest from the information and coding theory communities. The classical PIR problem is reformulated using information-theoretic measures in the seminal work of Sun–Jafar [2]. In there, the performance metric of the PIR scheme is the retrieval rate, which is the ratio of the number of the desired message symbols to the total number of downloaded bits. The supremum of this ratio is denoted by the PIR capacity, C. Sun and Jafar characterize the PIR capacity of the classical PIR model to be

$$\begin{array}{c}\hfill C={\left(1+{\displaystyle \frac{1}{N}}+{\displaystyle \frac{1}{N^2}}+\cdots +{\displaystyle \frac{1}{N^{K-1}}}\right)}^{-1}.\end{array}$$

(1)

Following [2], the capacity (or its reciprocal, the normalized download cost) of many variations of the problem have been investigated; see [3,4,5,6,7,8,9,10,11,12,13,14,15,16,17], and the surveys in [18,19].

In all these works, the user is assumed to have no information about the desired message prior to retrieval. Thus, the queries are designed independently of the message contents. This is not always the case in practice. To see that, consider the following classical motivational example of PIR: in the stock market, investors need to privately retrieve some of the stock records since showing interest in a specific record may undesirably affect its value. PIR is a natural solution to this problem. Now, consider the case when an investor has already retrieved a specific stock record some time ago but this record has been changed. The investor needs to update the record at his/her side. A trivial solution to this problem is to reapply the original PIR scheme again. Nevertheless, this solution overlooks the fact that stock records are correlated in time. Another example arises in the context of private federated submodel learning [20], in which a user needs to retrieve the up-to-date desired submodel without leaking any information about its identity. The weights of each submodel are usually correlated in time as in the stock market example. In both examples, it is interesting to investigate whether or not the investor (user) can exploit the correlation between the outdated record (submodel) and its up-to-date counterpart to drive down the download cost. In this work, we focus our attention on a specific type of correlation, in which the up-to-date message is a distorted version of the outdated message according to a Hamming distortion measure.

The most closely related works to this problem are the PIR problems with side information, e.g., [21,22,23,24,25,26,27]. We also assume that the user has access to a private local cache containing equal portions of each message. Caching systems of this variety have been explored before in the PIR setting, e.g., [28,29], but not in conjunction with other forms of side information (outdated or updated). In the works regarding PIR with side information, the user has side information in the form of a subset of undesired messages, which are utilized to assist in privately retrieving the desired message. This is different from our setting, in which the user possesses side information in the form of an outdated desired message. Furthermore, these works differ from each other in whether the privacy of the side information should be maintained or not. This is different from our problem in which the identity of the desired and side information is the same, and therefore the privacy constraint in our problem is modified to reflect this fact.

In this work, we introduce the problem of cache-aided private updating with unknown prefetching for an L-bit length message out of a K-message library from N replicated and non-colluding databases. In this problem, the user has an outdated version ${\hat{W}}_{\theta }$ of the desired message $\theta$, and wishes to update it to its up-to-date version $W_{\theta }$. Furthermore, the user has information about the maximum Hamming distance f between the up-to-date message and its outdated counterpart, i.e., the user possesses ${\hat{W}}_{\theta }$, which differs in at most f bits from the desired up-to-date message $W_{\theta }$. Based on ${\hat{W}}_{\theta }$ and f, the user needs to design a query set to reliably and privately decode the up-to-date version of the desired message $W_{\theta }$ with the least number of downloaded bits. Equivalently, the user needs to privately retrieve an auxiliary message that corresponds to the flipped bit positions in the desired message. Similar to the works of [30,31], we assume that the databases can construct a mapping from the original library of messages into a more appropriate form that can assist the user in the retrieval process (in this work, we assume that the databases are semi-honest, in the sense that they truthfully obey the retrieval process, but the databases are curious to learn the identity of the desired file). The user also has access to a private cache Z containing ℓ linear combinations of each message, with $r=\frac{\mathcal{l}}{L}$ being the caching ratio. The structure of such linear combinations is pre-specified to facilitate the retrieval procedure. By jointly designing the prefetching (i.e., the structure of the aforementioned cache contents) and the updating procedures, we aim at characterizing the optimal download cost needed to update ${\hat{W}}_{\theta }$ to $W_{\theta }$ given Z without disclosing the desired message index $\theta$ to any of the databases for arbitrary K, N, f, L, and r.

To that end, we propose a novel achievable scheme that is based on the syndrome decoding idea introduced in [32], and adapt it to our setting to exploit the correlation between $W_{\theta }$ and ${\hat{W}}_{\theta }$. Hence, syndrome decoding is used to compress the desired message based on the user’s side information (i.e., the outdated message ${\hat{W}}_{\theta }$). More specifically, the databases apply a linear transformation to the stored library of messages using the parity check matrix of a linear block code with carefully chosen parameters. The existence of such a code can be readily inferred from the Gilbert–Varshamov and the Hamming bounds [33]. This transformation, in effect, maps the messages into their corresponding syndromes. Thus, the problem is reduced to retrieving the syndrome representation of the messages (i.e., the auxiliary messages) that comprises $⌈\overline{L}⌉=⌈{log}_2\left({\sum }_{i=0}^f\left({\displaystyle \genfrac{}{}{0pt}{}{L}{i}}\right)\right)⌉\le L$ bits, where L is the original message length.

In the case of $r=0$, we directly apply the PIR scheme in [34] to the auxiliary messages of length $⌈\overline{L}⌉$, which is optimal under the message length constraints. In the case where r satisfies $0<r\le {\displaystyle \frac{1}{1+N+N^2+\cdots +N^{K-1}}}$ (denoted as very low r), ${\displaystyle \frac{1}{1+N}}\le r\le 1$ (denoted as very high r), we extend the PIR scheme in [34] to the cache-aided setting in [29], and develop a novel cache-aided arbitrary message length PIR scheme to solve our problem. We also present an achievable scheme for the mid-range r, satisfying ${\displaystyle \frac{1}{1+N+N^2+\cdots +N^{K-1}}}<r<{\displaystyle \frac{1}{1+N}}$, tailored for the case of $K=3$ messages, and discuss possible extensions for arbitrary K afterwards. Like with the $r=0$ case, we can then use this new cache-aided arbitrary message length scheme to download the auxiliary messages of length $⌈\overline{L}⌉$ with an effective caching ratio of $\tilde{r}={\displaystyle \frac{\mathcal{l}}{⌈\overline{L}⌉}}$. This is in effect a higher caching ratio than r, which in turns lead to a lower download cost as in [29]. For each of these cases, we confirm the validity of our proposed scheme by deriving a matching converse proof. Our converse proof is inspired by the converse proof of the cache-aided PIR problem with unknown and uncoded prefetching in [29], with the main difference being the fact that in addition to a private cache, the user has access to the outdated message ${\hat{W}}_{\theta }$, the index of which they wish to keep private. Consequently, we show that the optimal download cost is perfectly characterized for very high caching ratios, and is characterized within a maximum gap of only 2 bits otherwise. Notably, such a gap is 0 if $\overline{L}$ is an integer. This justifies the efficacy of using syndromes as a message-mixing technique in our setting. Furthermore, our results show that performing direct PIR on the original library of messages is strictly sub-optimal as long as the maximum Hamming distance $f<{\displaystyle \frac{L}{2}}$.

The rest of the paper is organized as follows. Our system model is described in Section 2. The main results are presented in Section 3, with the main converse proof following in Section 4, and the achievability proofs in Section 5 and Section 6. Section 7 includes a discussion on extending our achievability results, and the paper is concluded in Section 8.

2. System Model

We consider a classical PIR problem with K independent, uncoded, messages $W_1,\dots ,W_K$, with each message consisting of L independent and uniformly distributed bits. We have

$$\begin{array}{cc}\hfill H\left(W_i\right)& =L,1\le i\le K,\hfill \end{array}$$

(2)

$$\begin{array}{cc}\hfill H(W_1,\dots ,W_K)& =H\left(W_1\right)+\dots +H\left(W_K\right).\hfill \end{array}$$

(3)

The K messages are stored in N replicated and non-communicating databases. The user (retriever) has a local copy of one of the messages whose index $\theta \in \left[K\right]$ is known to the user ($\left[K\right]$ denotes the set $\{1,2,\dots ,K\}$) but not the database (this is true if message $\theta$, for example, has been previously obtained in a private manner). However, this message stored locally is outdated, and the user wishes to update it so that it is consistent with the copies in the databases without revealing to any of the databases what the message index is.

The user also has a local cache memory whose contents are denoted by a random variable Z. The cache is populated through a prefetching phase in which the user caches pre-specified linear combinations from each message $W_i$, $i\in \left[K\right]$, with $\mathcal{l}<L$ bits (specifically, we consider the case when the prefetching and retrieval strategies can be jointly designed, i.e., we assume that the information source performing the prefetching may provide a linear combination of its content with any desired structure to assist the user in minimizing the download cost in the retrieval phase). Such linear combinations are represented by a matrix multiplication $W_i{R}_i$, where $R_i$ is of dimension $L\times \mathcal{l}$. Thus, we have

$$\begin{array}{c}\hfill Z=[W_1{R}_1,W_2{R}_2,\cdots ,W_K{R}_K].\end{array}$$

(4)

The explicit design of $R_i$, $i\in \left[K\right]$ is specified along the lines of the achievability proof. We assume that the contents of the cache are unknown to the databases, as in, e.g., [21,27,29]. We define the caching ratio as

$$\begin{array}{c}\hfill r={\displaystyle \frac{\mathcal{l}}{L}}.\end{array}$$

(5)

Observe that the number of cached bits pertaining to each message is equal to $Lr$. It now follows that

$$\begin{array}{cc}\hfill H\left(Z\right)& ={\displaystyle \sum _{i=1}^K}H\left(W_i{R}_i\right)\le KLr,\hfill \end{array}$$

(6)

$$\begin{array}{cc}\hfill I(W_i;Z)& =H\left(W_i{R}_i\right)\le Lr,1\le i\le K.\hfill \end{array}$$

(7)

The setting described above defines the cache-aided private updating problem with unknown prefetching.

Since each message is a string of L bits, the problem can be formulated as privately determining which subset of the message bits need to be flipped in order to fully update it. To model this, we use ${\hat{W}}_{\theta }$ to represent the locally stored outdated message, ${\overline{W}}_{\theta }$ to represent the subset of bit indices that need to be flipped, and f to represent the maximum Hamming distance between $W_{\theta }$ and ${\hat{W}}_{\theta }$ (clearly, $f\ge 1$ must hold; otherwise, there is no need to update ${\hat{W}}_{\theta }$). Therefore, in order to update message $\theta$, the user needs to flip at most f bits, i.e., ${\overline{W}}_{\theta }$ takes a value out of ${\sum }_{i=0}^f\left({\displaystyle \genfrac{}{}{0pt}{}{L}{i}}\right)$ choices. We assume that such choices are uniformly distributed and independently realized from ${\hat{W}}_{\theta }$. Based on this model, the following holds:

$$\begin{array}{cc}\hfill H\left(W_{\theta }\right)=H\left({\hat{W}}_{\theta }\right)& =L,\hfill \end{array}$$

(8)

$$\begin{array}{cc}\hfill H\left({\overline{W}}_{\theta }\right)={log}_2\left({\displaystyle \sum _{i=0}^f}\left({\displaystyle \genfrac{}{}{0pt}{}{L}{i}}\right)\right)& \triangleq \overline{L},\hfill \end{array}$$

(9)

$$\begin{array}{cc}\hfill H\left(W_{\theta }\right|{\hat{W}}_{\theta })=H\left({\overline{W}}_{\theta }\right|{\hat{W}}_{\theta })& =\overline{L},\hfill \end{array}$$

(10)

$$\begin{array}{cc}\hfill H\left({\overline{W}}_{\theta }\right|{\hat{W}}_{\theta },W_{\theta })& =0,\hfill \end{array}$$

(11)

$$\left|{\overline{W}}_{\theta }\right|\le f\le L,$$

(12)

where $|·|$ denotes cardinality. We assume that the maximum Hamming distance f between the outdated and updated message is known to the user. By (9), one can see that $⌈\overline{L}⌉$ bits should be sufficient to update ${\hat{W}}_{\theta }$. Hence, one can set a maximum value on the number of cached bits from each message as follows (in case the number of cached bits is greater than this bound in (13), the extra bits can be ignored by the user):

$$\begin{array}{c}\hfill \mathcal{l}\le ⌈\overline{L}⌉.\end{array}$$

(13)

In order to retrieve $W_{\theta }$, the user sends a set of queries $Q_1^{\left[\theta \right]},\dots ,Q_N^{\left[\theta \right]}$ to the N databases to efficiently obtain ${\overline{W}}_{\theta }$. The queries are generated according to ${\hat{W}}_{\theta }$, f, and Z, and are jointly independent of the realizations of the $\left[K\right]\setminus \left\{\theta \right\}$ messages and ${\overline{W}}_{\theta }$ given ${\hat{W}}_{\theta }$. Therefore we have (we use the notation $x_S$ to denote the collection of $\{x_i,i\in S\}$)

$$\begin{array}{c}\hfill I\left(W_{\left[K\right]\setminus \left\{\theta \right\}},{\overline{W}}_{\theta };Q_{1:N}^{\left[\theta \right]}|{\hat{W}}_{\theta },Z\right)=0.\end{array}$$

(14)

Upon receiving the query $Q_n^{\left[\theta \right]}$, the nth database replies with an answering string $A_n^{\left[\theta \right]}$, which is a function of $Q_n^{\left[\theta \right]}$ and all the K messages stored. Therefore, $\forall \theta \in \left[K\right],\forall n\in \left[N\right]$, we have

$$\begin{array}{c}\hfill H\left(A_n^{\left[\theta \right]}|Q_n^{\left[\theta \right]},W_{1:K}\right)=0.\end{array}$$

(15)

To ensure that individual databases do not know which message is being updated, we need to satisfy the following privacy constraint, $\forall n\in \left[N\right],\forall k\in \left[K\right]$:

$$\begin{array}{c}\hfill \left(Q_n^{\left[1\right]},A_n^{\left[1\right]},{\hat{W}}_1,W_{1:K}\right)\sim \left(Q_n^{\left[k\right]},A_n^{\left[k\right]},{\hat{W}}_k,W_{1:K}\right),\end{array}$$

(16)

where ∼ denotes statistical equivalence. After receiving the answering strings $A_{1:N}^{\left[\theta \right]}$ from all the N databases, the user needs to decode the desired information $W_{\theta }$ with no uncertainty, satisfying the following correctness constraint:

$$\begin{array}{c}\hfill H\left(W_{\theta }|A_{1:N}^{\left[\theta \right]},Q_{1:N}^{\left[\theta \right]},{\hat{W}}_{\theta },Z\right)=0.\end{array}$$

(17)

The overall system model is depicted in Figure 1. We also include a list of notation with their definitions in

Table 1. Key notations and system parameters.

Symbol	Definition
K	number of messages
N	number of databases
L	message length
$\theta$	index of the required message
${\hat{W}}_{\theta }$	outdated message
$W_{\theta }$	current message
f	upper bound on differences between outdated and current messages
Z	cache content
ℓ	number of linearly-combined bits cached from each message
r	caching ratio: $\mathcal{l}/L$
$\overline{L}$	number of bits sufficient to update the message: ${log}_2\left({\sum }_{i=0}^f\left({\displaystyle \genfrac{}{}{0pt}{}{L}{i}}\right)\right)$

for ease of presentation.

For fixed N, K, f, and r, a pair $(\overline{D},L)$ is achievable if there exists a cache-aided private updating with unknown prefetching scheme for messages of length L bits long satisfying the privacy constraint (16) and the correctness constraint (17). In this pair, $\overline{D}$ represents the expected number of downloaded bits received from the N databases independently via the answering strings $A_{1:N}^{\left[k\right]}$, i.e.,

$$\begin{array}{c}\hfill \overline{D}={\displaystyle \sum _{n=1}^N}H\left(A_n^{\left[\theta \right]}\right).\end{array}$$

(18)

Our goal is to characterize the optimal download cost ${\overline{D}}_L$ for the cache-aided private updating problem with unknown prefetching for fixed arbitrary L, N, K, f, and r. That is, we solve for

$$\begin{array}{c}\hfill {\overline{D}}_L=min\left\{\overline{D}:(\overline{D},L)\mathrm{is}\mathrm{achievable}\right\}.\end{array}$$

(19)

Clearly, the user can ignore its outdated message ${\hat{W}}_{\theta }$ and re-download the whole new message $W_{\theta }$ using standard cache-aided PIR schemes [2,29]. Our main result, however, shows that we can use ${\hat{W}}_{\theta }$ to do strictly better.

3. Main Results

Our first result characterizes a converse bound for the optimal download cost ${\overline{D}}_L$ for general N, K, f, and r.

Theorem 1 

(Converse). In the cache-aided private updating problem with unknown prefetching, the optimal download cost is lower bounded by

$$\begin{array}{c}\hfill {\overline{D}}_L\ge ⌈{\displaystyle \underset{i\in \{2,\dots ,K+1\}}{max}}(\overline{L}-Lr){\displaystyle \sum _{j=0}^{K+1-i}}{\displaystyle \frac{1}{N^j}}-Lr{\displaystyle \sum _{j=0}^{K-i}}{\displaystyle \frac{K+1-i-j}{N^j}}⌉,\end{array}$$

(20)

with $\overline{L}$ defined in (9).

The proof of Theorem 1 is provided in Section 4.

For our next result, we characterize an achievability bound for specific values of the caching ratios, and otherwise general L, N, K, and f. Before we present our result, we need to introduce some notation. Specifically, as in [29], for $s\in \{1,2,\dots ,K-1\}$, we define a caching ratio $r_s$ as

$$\begin{array}{c}\hfill r_s={\displaystyle \frac{\left(\genfrac{}{}{0pt}{}{K-2}{s-1}\right)}{\left(\genfrac{}{}{0pt}{}{K-2}{s-1}\right)+{\sum }_{i=0}^{K-1-s}\left(\genfrac{}{}{0pt}{}{K-1}{s+i}\right){(N-1)}^{i}N}}.\end{array}$$

(21)

Now, we say that a caching ratio r is very low if $0\le r\le r_1={\displaystyle \frac{1}{1+N+N^2+\cdots +N^{K-1}}}$, very high if $r_{K-1}={\displaystyle \frac{1}{1+N}}\le r\le 1$, and mid-range otherwise. We are now ready to present our first achievability result.

Theorem 2 

(Very Low and Very High Achievability). In the cache-aided private updating problem with unknown prefetching, for very low caching ratios, the optimal download cost is upper bounded by

$$\begin{array}{c}\hfill {\overline{D}}_L\le ⌈\left(⌈\overline{L}⌉-Lr\right)·{\displaystyle \sum _{i=0}^{K-1}}{\displaystyle \frac{1}{N^i}}-Lr·{\displaystyle \sum _{i=0}^{K-2}}{\displaystyle \frac{K-1-i}{N^i}}⌉,\end{array}$$

(22)

and for very high caching ratios, the optimal download cost is upper bounded by

$$\begin{array}{c}\hfill {\overline{D}}_L\le ⌈\overline{L}⌉-Lr,\end{array}$$

(23)

with $\overline{L}$ defined in (9).

The proof of Theorem 2 is provided in Section 5.

Combining the achievability bounds in Theorem 2 with the converse bound in Theorem 1, we obtain a fairly tight, up to a ceiling difference of $\overline{L}$, characterization of the optimal download cost ${\overline{D}}_L$ for very low and very high caching ratios. This is stated in the following corollary.

Corollary 1. 

In the cache-aided private updating problem with unknown prefetching, for very low caching ratios, we have

$$\begin{array}{cc}\hfill & ⌈(\overline{L}-Lr){\displaystyle \sum _{j=0}^{K-1}}{\displaystyle \frac{1}{N^j}}-Lr{\displaystyle \sum _{j=0}^{K-2}}{\displaystyle \frac{K-1-j}{N^j}}⌉\le {\overline{D}}_L\le ⌈\left(⌈\overline{L}⌉-Lr\right){\displaystyle \sum _{j=0}^{K-1}}{\displaystyle \frac{1}{N^j}}-Lr{\displaystyle \sum _{j=0}^{K-2}}{\displaystyle \frac{K-1-j}{N^j}}⌉,\hfill \end{array}$$

(24)

and for very high caching ratios, we have

$$\begin{array}{c}\hfill {\overline{D}}_L=⌈\overline{L}⌉-Lr\end{array}$$

(25)

Proof. 

The right-hand side inequality of (24) is given directly by Theorem 2. By choosing $i=2$ in (20), we obtain the left-hand side inequality in (24). Similarly, by choosing $i=K-1$ in (20), we obtain the result in (25) (note that $Lr$ is an integer, and so in this case, the converse and achievability bounds match). This concludes the proof. □

We now have the following remarks.

Remark 1. 

The result in Corollary 1 generalizes our preliminary work on the private updating problem with no caching involved [35]. Specifically, plugging in $r=0$ in Corollary 1 directly gives ([35], Theorem 1).

Remark 2. 

Consider the result in (24). From (9) and (12), it follows that $⌈\overline{L}⌉=L$ for all values of $f\ge {\displaystyle \frac{L}{2}}$, and that $⌈\overline{L}⌉<L$ for all values of $f<{\displaystyle \frac{L}{2}}$ (this can be readily shown using the binomial theorem; details are in Appendix A). Combining this with the results in ([29], Corollary 2) (which is the analog of our result in case the user does not have an outdated message), this means that there is a Hamming distance threshold of ${\displaystyle \frac{L}{2}}$ beyond which there is no advantage to using a private updating strategy, and below which there will always be some savings in download cost. This can be seen in Figure 2, where we also note that the non-linearity of the upper and lower bounds are a result of the ceiling functions that appear in these bounds.

Remark 3. 

If L and f are such that $\overline{L}=⌈\overline{L}⌉$, then the upper and lower bounds in (24) match. We will see that this holds if a perfect code (a code that attains the Hamming bound with equality [33]) by which the queries are sent exists (cf. Section 5). Otherwise, if $\overline{L}<⌈\overline{L}⌉$, one can show using similar arguments as in ([34], Section 7.2) that the two bounds are within 2 bits for $N\ge 2$ databases.

Next, we have the following achievability result regarding mid-range caching ratios.

Theorem 3 

(Mid-Range Achievability). In the cache-aided private updating problem with unknown prefetching with $K=3$ messages, for mid-range effective caching ratios, the optimal download cost is upper bounded by

$$\begin{array}{c}\hfill {\overline{D}}_L\le ⌈\left(⌈\overline{L}⌉-Lr\right)\left(1+{\displaystyle \frac{1}{N}}\right)-Lr⌉\end{array}$$

(26)

with $\overline{L}$ defined in (9).

The proof of Theorem 3 is provided in Section 6. In Section 7, we include a discussion on extending the above achievability result for arbitrary K.

Combining the mid-range achievability bound in Theorem 3 and the converse bound in Theorem 1 for $i=K$, we characterize the optimal download cost for ${\overline{D}}_L$ for mid-range caching ratios when $K=3$. Furthermore, combining this characterization with the result of Corollary 1 gives a complete characterization of ${\overline{D}}_L$ when $K=3$ for any caching ratio. To this end, we define the $K=3$ converse bound ${\overline{D}}_{K=3}\left(r\right)$ and the $K=3$ achievability bound ${\overline{D}}^{K=3}\left(r\right)$ to express this characterization:

$$\begin{array}{c}\hfill {\overline{D}}_{K=3}\left(r\right)=\left\{\begin{array}{cc}⌈\left(\overline{L}-Lr\right)·{\displaystyle {\sum }_{i=0}^2}{\displaystyle \frac{1}{N^i}}-Lr·{\displaystyle {\sum }_{i=0}^1}{\displaystyle \frac{2-i}{N^i}}⌉,\hfill & \mathrm{if}0\le r\le r_1;\hfill \\ ⌈\left(\overline{L}-Lr\right)\left(1+{\displaystyle \frac{1}{N}}\right)-Lr⌉,\hfill & \mathrm{if}{r}_1\le r\le r_2;\hfill \\ ⌈\overline{L}⌉-Lr,\hfill & \mathrm{if}{r}_2\le r\le 1.\hfill \end{array}\right.\end{array}$$

(27)

$$\begin{array}{cc}\hfill & {\overline{D}}^{K=3}\left(r\right)=\left\{\begin{array}{cc}⌈\left(⌈\overline{L}⌉-Lr\right)·{\displaystyle {\sum }_{i=0}^2}{\displaystyle \frac{1}{N^i}}-Lr·{\displaystyle {\sum }_{i=0}^1}{\displaystyle \frac{2-i}{N^i}}⌉,\hfill & \mathrm{if}0\le r\le r_1;\hfill \\ ⌈\left(⌈\overline{L}⌉-Lr\right)\left(1+{\displaystyle \frac{1}{N}}\right)-Lr⌉,\hfill & \mathrm{if}{r}_1\le r\le r_2;\hfill \\ ⌈\overline{L}⌉-Lr,\hfill & \mathrm{if}{r}_2\le r\le 1.\hfill \end{array}\right.\hfill \end{array}$$

(28)

We have now proved the following corollary.

Corollary 2 

($K=3$ Characterization). In the cache-aided private updating problem with unknown prefetching where $K=3$, for any caching ratio, we have

$$\begin{array}{c}\hfill {\overline{D}}_{K=3}\left(r\right)\le {\overline{D}}_L\le {\overline{D}}^{K=3}\left(r\right)\end{array}$$

(29)

4. Proof of Theorem 1: Converse

In this section, we derive the general (converse) lower bound for the download cost in Theorem 1. To do so, we prove two useful lemmas, analogues to their counterparts in the cache-aided PIR setting of [29], for the case of our cache-aided private updating problem. The two lemmas are then combined to prove the general lower bound. The key difference between our lemmas and those in [29] is that in addition to some uniform portion of each message being cached, the user is given an outdated message ${\hat{W}}_{\theta }$, requiring careful handling of the correlation between $W_{\theta }$ and ${\hat{W}}_{\theta }$.

Lemma 1 

(Interference Lower Bound). In the cache-aided private updating problem with unknown prefetching, the interference from undesired messages within the answering strings, $\overline{D}-(\overline{L}-Lr)$, satisfies

$$\begin{array}{c}\hfill \overline{D}-(\overline{L}-Lr)\ge I\left(W_{k:K};Q_{1:N}^{[k-1]},A_{1:N}^{[k-1]}|W_{1:k-1},{\hat{W}}_{k-1},Z\right)\end{array}$$

(30)

for all $k\in \{2,\dots ,K\}$.

Proof. 

We start with the right-hand side of (30),

$$\begin{array}{cc}\hfill & I(W_{k:K};Q_{1:N}^{[k-1]},A_{1:N}^{[k-1]}|W_{1:k-1},{\hat{W}}_{k-1},Z)\hfill \end{array}$$

$$\begin{array}{cc}\hfill & =I(W_{k:K};Q_{1:N}^{[k-1]},A_{1:N}^{[k-1]},W_{k-1}|W_{1:k-2},{\hat{W}}_{k-1},Z)-I(W_{k:K};W_{k-1}|W_{1:k-2},{\hat{W}}_{k-1},Z)\hfill \end{array}$$

(31)

$$\begin{array}{cc}\hfill & =I(W_{k:K};Q_{1:N}^{[k-1]},A_{1:N}^{[k-1]}|W_{1:k-2},{\hat{W}}_{k-1},Z)+I(W_{k:K};W_{k-1}|Q_{1:N}^{[k-1]},A_{1:N}^{[k-1]},W_{1:k-2},{\hat{W}}_{k-1},Z)\hfill \end{array}$$

$$\begin{array}{cc}\hfill & \stackrel{\left(17\right)}{=}I(W_{k:K};Q_{1:N}^{[k-1]},A_{1:N}^{[k-1]}|W_{1:k-2},{\hat{W}}_{k-1},Z)\hfill \end{array}$$

(32)

$$\begin{array}{cc}\hfill & \stackrel{\left(14\right)}{=}I(W_{k:K};A_{1:N}^{[k-1]}|Q_{1:N}^{[k-1]},W_{1:k-2},{\hat{W}}_{k-1},Z)\hfill \end{array}$$

(33)

$$\begin{array}{cc}\hfill & =H\left(A_{1:N}^{[k-1]}\right|Q_{1:N}^{[k-1]},W_{1:k-2},{\hat{W}}_{k-1},Z)-H\left(A_{1:N}^{[k-1]}\right|Q_{1:N}^{[k-1]},W_{1:k-2},W_{k:K},{\hat{W}}_{k-1},Z)\hfill \end{array}$$

(34)

$$\begin{array}{cc}\hfill & \stackrel{\left(17\right)}{=}H\left(A_{1:N}^{[k-1]}\right|Q_{1:N}^{[k-1]},W_{1:k-2},{\hat{W}}_{k-1},Z)-H(A_{1:N}^{[k-1]},W_{k-1}|Q_{1:N}^{[k-1]},W_{1:k-2},W_{k:K},{\hat{W}}_{k-1},Z)\hfill \end{array}$$

(35)

$$\begin{array}{cc}\hfill & \le H\left(A_{1:N}^{[k-1]}\right|Q_{1:N}^{[k-1]},W_{1:k-2},{\hat{W}}_{k-1},Z)-H\left(W_{k-1}\right|Q_{1:N}^{[k-1]},W_{1:k-2},W_{k:K},{\hat{W}}_{k-1},Z)\hfill \end{array}$$

(36)

$$\begin{array}{cc}\hfill & \stackrel{\left(14\right)}{=}H\left(A_{1:N}^{[k-1]}\right|Q_{1:N}^{[k-1]},W_{1:k-2},{\hat{W}}_{k-1},Z)-H\left(W_{k-1}\right|{\hat{W}}_{k-1},Z)\hfill \end{array}$$

(37)

$$\begin{array}{cc}\hfill & \stackrel{\left(18\right),\left(3\right)}{\le }\overline{D}-H\left(W_{k-1}\right|{\hat{W}}_{k-1},W_{k-1}{R}_{k-1})\hfill \end{array}$$

(38)

$$\begin{array}{cc}\hfill & =\overline{D}-\left(H(W_{k-1},W_{k-1}{R}_{k-1}|{\hat{W}}_{k-1})-H\left(W_{k-1}{R}_{k-1}\right|{\hat{W}}_{k-1})\right)\hfill \end{array}$$

(39)

$$\begin{array}{cc}\hfill & =\overline{D}-\left(H\left(W_{k-1}\right|{\hat{W}}_{k-1})+H\left(W_{k-1}{R}_{k-1}\right|{\hat{W}}_{k-1},W_{k-1})-H\left(W_{k-1}{R}_{k-1}\right|{\hat{W}}_{k-1})\right)\hfill \end{array}$$

(40)

$$\begin{array}{cc}\hfill & \stackrel{\left(10\right),\left(7\right)}{\le }\overline{D}-(\overline{L}-Lr).\hfill \end{array}$$

(41)

This concludes the proof. □

Note that if privacy was not a constraint, then $\overline{D}=\overline{L}-Lr$ and the interference from undesired messages would be non-existent. However, when the privacy constraint is present, $\overline{D}-(\overline{L}-Lr)$ characterizes the number of bits that will be downloaded and used as side information to preserve privacy from the databases in a given scheme.

Lemma 2 

(Induction Lemma). For all $k\in \{2,\dots ,K\}$, the mutual information term in Lemma 1 can be inductively lower bounded as

$$\begin{array}{cc}\hfill & I\left(W_{k:K};Q_{1:N}^{[k-1]},A_{1:N}^{[k-1]}|W_{1:k-1},{\hat{W}}_{k-1},Z\right)\hfill \end{array}$$

$$\begin{array}{cc}\hfill & \ge {\displaystyle \frac{1}{N}}I\left(W_{k+1:K};Q_{1:N}^{\left[k\right]},A_{1:N}^{\left[k\right]}|W_{1:k},{\hat{W}}_k,Z\right)+{\displaystyle \frac{\overline{L}-Lr}{N}}-(K-k+1)Lr.\hfill \end{array}$$

(42)

Proof. 

We start with the left-hand side of (42),

$$\begin{array}{cc}\hfill & I(W_{k:K};Q_{1:N}^{[k-1]},A_{1:N}^{[k-1]}|W_{1:k-1},{\hat{W}}_{k-1},Z)\hfill \end{array}$$

$$\begin{array}{cc}\hfill & =I(W_{k:K};Q_{1:N}^{[k-1]},A_{1:N}^{[k-1]},Z,{\hat{W}}_{k-1}|W_{1:k-1})-I(W_{k:K};Z,{\hat{W}}_{k-1}|W_{1:k-1})\hfill \end{array}$$

(43)

$$\begin{array}{cc}\hfill & =I(W_{k:K};Q_{1:N}^{[k-1]},A_{1:N}^{[k-1]}|W_{1:k-1})+I(W_{k:K};Z,{\hat{W}}_{k-1}|W_{1:k-1},Q_{1:N}^{[k-1]},A_{1:N}^{[k-1]})\hfill \end{array}$$

$$\begin{array}{cc}\hfill & -I(W_{k:K};Z,{\hat{W}}_{k-1}|W_{1:k-1})\hfill \end{array}$$

(44)

$$\begin{array}{cc}\hfill & \ge I(W_{k:K};Q_{1:N}^{[k-1]},A_{1:N}^{[k-1]}|W_{1:k-1})-I(W_{k:K};Z,{\hat{W}}_{k-1}|W_{1:k-1}).\hfill \end{array}$$

(45)

Now, for the first term in (45), we have

$$\begin{array}{cc}\hfill & I(W_{k:K};Q_{1:N}^{[k-1]},A_{1:N}^{[k-1]}|W_{1:k-1})\hfill \end{array}$$

(46)

$$\begin{array}{cc}\hfill & \ge {\displaystyle \frac{1}{N}}{\displaystyle \sum _{n=1}^N}I(W_{k:K};Q_n^{[k-1]},A_n^{[k-1]}|W_{1:k-1})\hfill \end{array}$$

(47)

$$\begin{array}{cc}\hfill & \stackrel{\left(16\right)}{=}{\displaystyle \frac{1}{N}}{\displaystyle \sum _{n=1}^N}I(W_{k:K};Q_n^{\left[k\right]},A_n^{\left[k\right]}|W_{1:k-1})\hfill \end{array}$$

(48)

$$\begin{array}{cc}\hfill & ={\displaystyle \frac{1}{N}}{\displaystyle \sum _{n=1}^N}I(W_{k:K};A_n^{\left[k\right]}|W_{1:k-1},Q_n^{\left[k\right]})\hfill \end{array}$$

(49)

$$\begin{array}{cc}\hfill & \stackrel{\left(15\right)}{=}{\displaystyle \frac{1}{N}}{\displaystyle \sum _{n=1}^N}H\left(A_n^{\left[k\right]}\right|W_{1:k-1},Q_n^{\left[k\right]})\hfill \end{array}$$

(50)

$$\begin{array}{cc}\hfill & \ge {\displaystyle \frac{1}{N}}{\displaystyle \sum _{n=1}^N}H\left(A_n^{\left[k\right]}\right|W_{1:k-1},{\hat{W}}_k,Z,Q_{1:N}^{\left[k\right]},A_{1:n-1}^{\left[k\right]})\hfill \end{array}$$

(51)

$$\begin{array}{cc}\hfill & \stackrel{\left(15\right)}{=}{\displaystyle \frac{1}{N}}{\displaystyle \sum _{n=1}^N}I(W_{k:K};A_n^{\left[k\right]}|W_{1:k-1},{\hat{W}}_k,Z,Q_{1:N}^{\left[k\right]},A_{1:n-1}^{\left[k\right]})\hfill \end{array}$$

(52)

$$\begin{array}{cc}\hfill & ={\displaystyle \frac{1}{N}}I(W_{k:K};A_{1:N}^{\left[k\right]}|W_{1:k-1},{\hat{W}}_k,Z,Q_{1:N}^{\left[k\right]})\hfill \end{array}$$

(53)

$$\begin{array}{cc}\hfill & \stackrel{\left(14\right)}{=}{\displaystyle \frac{1}{N}}I(W_{k:K};Q_{1:N}^{\left[k\right]},A_{1:N}^{\left[k\right]}|W_{1:k-1},{\hat{W}}_k,Z)\hfill \end{array}$$

(54)

$$\begin{array}{cc}\hfill & \stackrel{\left(17\right)}{=}{\displaystyle \frac{1}{N}}I(W_{k:K};W_k,Q_{1:N}^{\left[k\right]},A_{1:N}^{\left[k\right]}|W_{1:k-1},{\hat{W}}_k,Z)\hfill \end{array}$$

(55)

$$\begin{array}{cc}\hfill & ={\displaystyle \frac{1}{N}}I(W_{k:K};Q_{1:N}^{\left[k\right]},A_{1:N}^{\left[k\right]}|W_{1:k},{\hat{W}}_k,Z)+{\displaystyle \frac{1}{N}}I(W_{k:K};W_k|W_{1:k-1},{\hat{W}}_k,Z)\hfill \end{array}$$

(56)

$$\begin{array}{cc}\hfill & ={\displaystyle \frac{1}{N}}I(W_{k:K};Q_{1:N}^{\left[k\right]},A_{1:N}^{\left[k\right]}|W_{1:k},{\hat{W}}_k,Z)+{\displaystyle \frac{1}{N}}H\left(W_k\right|{\hat{W}}_k,Z)\hfill \end{array}$$

(57)

$$\begin{array}{cc}\hfill & \stackrel{\left(10\right),\left(7\right)}{\ge }{\displaystyle \frac{1}{N}}I(W_{k+1:K};Q_{1:N}^{\left[k\right]},A_{1:N}^{\left[k\right]}|W_{1:k},{\hat{W}}_k,Z)+{\displaystyle \frac{\overline{L}-Lr}{N}}.\hfill \end{array}$$

(58)

Note that (58) follows from a similar argument in Lemma 1 starting at (37). Next, for the second term in (45), we have

$$\begin{array}{cc}\hfill & I(W_{k:K};Z,{\hat{W}}_{k-1}|W_{1:k-1})\hfill \end{array}$$

$$\begin{array}{cc}\hfill & =H\left(W_{k:K}\right|W_{1:k-1})-H\left(W_{k:K}\right|W_{k-1},Z,{\hat{W}}_{k-1})\hfill \end{array}$$

(59)

$$\begin{array}{cc}\hfill & =(K-k+1)L-(K-k+1)L(1-r)\hfill \end{array}$$

(60)

$$\begin{array}{cc}\hfill & =(K-k+1)Lr\hfill \end{array}$$

(61)

Combining the above results concludes the proof. □

We now apply the result of Lemma 2 recursively on that of Lemma 1 to get the general lower bound through the following series of inequalities:

$$\begin{array}{cc}\hfill \overline{D}& \stackrel{\left(30\right)}{\ge }(\overline{L}-Lr)+I(W_{k:K};Q_{1:N}^{[k-1]},A_{1:N}^{[k-1]}|W_{1:k-1},{\hat{W}}_1,Z)\hfill \end{array}$$

(62)

$$\begin{array}{cc}\hfill & \stackrel{\left(42\right)}{\ge }(\overline{L}-Lr)+{\displaystyle \frac{\overline{L}-Lr}{N}}\hfill \\ \hfill & +{\displaystyle \frac{1}{N}}I(W_{k+1:K};Q_{1:N}^{\left[k\right]},A_{1:N}^{\left[k\right]}|W_{1:k},{\hat{W}}_k,Z)\hfill \end{array}$$

$$\begin{array}{cc}\hfill & -(K-k+1)Lr\hfill \end{array}$$

(63)

$$\begin{array}{cc}\hfill & \stackrel{\left(42\right)}{\ge }(\overline{L}-Lr)+{\displaystyle \frac{\overline{L}-Lr}{N}}+{\displaystyle \frac{\overline{L}-Lr}{N^2}}\hfill \\ \hfill & +{\displaystyle \frac{1}{N^2}}I(W_{k+2:K};Q_{1:N}^{[k+1]},A_{1:N}^{[k+1]}|W_{1:k+1},{\hat{W}}_{k+1},Z)\hfill \end{array}$$

$$\begin{array}{cc}\hfill & -(K-k+1)Lr+{\displaystyle \frac{(K-k+2)Lr}{N}}\hfill \end{array}$$

(64)

$$\begin{array}{cc}\hfill & \stackrel{\left(42\right)}{\ge }\dots \hfill \end{array}$$

(65)

$$\begin{array}{cc}\hfill & =(\overline{L}-Lr){\displaystyle \sum _{j=0}^{K+1-k}}{\displaystyle \frac{1}{N^j}}-Lr{\displaystyle \sum _{j=0}^{K-k}}{\displaystyle \frac{K+1-k-j}{N^j}}\hfill \end{array}$$

(66)

Next, since the bound in (66) is valid for arbitrary k, it is still valid for k corresponding to the maximum possible lower bound, i.e., (66) gives K intersecting line segments, therefore, the download cost $\overline{D}$ is lower bounded by their maximum value

$$\begin{array}{c}\hfill \overline{D}\ge {\displaystyle \underset{i\in \{2,\dots ,K+1\}}{max}}(\overline{L}-Lr){\displaystyle \sum _{j=0}^{K+1-i}}{\displaystyle \frac{1}{N^j}}-Lr{\displaystyle \sum _{j=0}^{K-i}}{\displaystyle \frac{K+1-i-j}{N^j}}.\end{array}$$

(67)

Since (67) lower bounds the download cost $\overline{D}$ for any cache-aided private updating with unknown prefetching scheme, it also lower bounds the download cost of the optimal private updating scheme ${\overline{D}}_L$. Finally, since ${\overline{D}}_L$ is an integer, we take the ceiling of (67) to get (20).

This concludes the converse proof.

5. Proof of Theorem 2: Achievability for Very Low and Very High Caching Ratios

Our achievability scheme makes use of the correlation between $W_{\theta }$ and ${\hat{W}}_{\theta }$ through the knowledge of their maximum Hamming distance f in order to reduce the download cost. This approach is related to the problem tackled in [32] (without privacy constraints), in which a source is compressed given that it is correlated with some side information that is available only at the decoder. The retrieving user represents the decoder in our case, with side information ${\hat{W}}_{\theta }$. By the Slepian–Wolf coding theorem [36], one can noiselessly compress the source $W_{\theta }$ at the rate of $H\left(W_{\theta }\right|{\hat{W}}_{\theta })=\overline{L}$. The compressed source is treated as a new message to be downloaded using a PIR scheme, as opposed to downloading the whole message $W_{\theta }$. Such a scheme, however, has a message length constraint (unlike most of the PIR works in the literature). For that reason, we leverage tools from the PIR scheme with an arbitrary message length in [34], and extend them to work in the caching setting at hand, to accomplish our task.

While our achievability schemes make use of the local cache Z, we will first give some motivating examples without the user having knowledge of Z, which represents the case $r=0$ tackled in our preliminary work [35].

5.1. Motivating Examples Without Caching

5.1.1. $L=3$, $N=2$, $K=2$, $f=1$, and $r=0$

In this example, we have $\overline{L}={log}_2(1+3)=2$, and $C=2/3$ (from (1)). Setting $r=0$ in (22), we need to show that $\overline{D}=⌈⌈\overline{L}⌉/C⌉=3$ bits is achievable. We first start by constructing a $[3,1,3]$ linear block code, which is in this case a repetition code with generator matrix $\mathsf{G}$ and parity check matrix $\mathsf{H}$ given by

$$\begin{array}{c}\hfill \mathsf{G}=\left[\begin{array}{ccc}1& 1& 1\end{array}\right],\mathsf{H}=\left[\begin{array}{ccc}1& 1& 0\\ 1& 0& 1\end{array}\right].\end{array}$$

(68)

Note that such code is capable of correcting at most $f=1$ error. The syndromes associated with this code are $\mathsf{s}\in \{00,01,10,11\}$. Observe that the length of $\mathsf{s}$ is exactly $⌈\overline{L}⌉$.

Instead of requesting $W_{\theta }$, the user retrieves the index of the coset in which $W_{\theta }$ resides in the code’s standard array. That is, its corresponding syndrome

$$\begin{array}{c}\hfill {\mathsf{s}}_{\theta }=W_{\theta }{\mathsf{H}}^T.\end{array}$$

(69)

The user then compares ${\hat{W}}_{\theta }$ to all the words in that coset, and decodes $W_{\theta }$ as the one closest in Hamming distance. This is guaranteed to yield the unique correct message [32]. Therefore, the syndrome ${\mathsf{s}}_{\theta }$ efficiently represents the flipped bits’ indices ${\overline{W}}_{\theta }$, and one is able to reduce the effective message length from $L=3$ to $⌈\overline{L}⌉=2$ by dealing with the syndrome ${\mathsf{s}}_{\theta }$ instead of $W_{\theta }$.

Let $W_1=[a_1,a_2,a_3]$, and $W_2=[b_1,b_2,b_3]$. The syndromes (the new messages) are given by

$$\begin{array}{cc}\hfill {\mathsf{s}}_1& =W_1{\mathsf{H}}^T=\left[\begin{array}{cc}{a}_1+a_2& a_1+a_3\end{array}\right]\hfill \end{array}$$

$$\begin{array}{cc}\hfill & \triangleq \left[\begin{array}{cc}{\overline{a}}_1& {\overline{a}}_2\end{array}\right],\hfill \end{array}$$

(70)

$$\begin{array}{cc}\hfill {\mathsf{s}}_2& =W_2{\mathsf{H}}^T=\left[\begin{array}{cc}{b}_1+b_2& b_1+b_3\end{array}\right]\hfill \end{array}$$

$$\begin{array}{cc}\hfill & \triangleq \left[\begin{array}{cc}{\overline{b}}_1& {\overline{b}}_2\end{array}\right].\hfill \end{array}$$

(71)

Assume $\theta =1$. Since $⌈\overline{L}⌉=N^{K-1}$, we can apply a non-symmetric PIR scheme [34] to decode ${\mathsf{s}}_1$. This scheme is shown in

Table 2. Query table for $N=K=2$, $L=3$, $f=1$, and $r=0$.

Database 1	Database 2
${\overline{a}}_1$, ${\overline{b}}_1$	${\overline{a}}_2+{\overline{b}}_1$

, and has a download cost of $\overline{D}=3$ bits, which is optimal in this case since it meets the converse bound.

The repetition code used in this example is a perfect code. While this makes $\overline{L}$ an integer, and meets the converse bound, perfect codes are scarce. In the next example, we show how the proposed scheme performs with non-perfect codes.

5.1.2. $L=5$, $N=2$, $K=2$, $f=1$, and $r=0$

In this example, we have $\overline{L}={log}_2(1+5)=2.58$, and $C=2/3$. We show that $\overline{D}=⌈⌈\overline{L}⌉/C⌉=5$ bits is achievable. As in the previous example, we start by constructing a $[5,2,3]$ linear block code. Differently though, this is not a repetition code, and is characterized by

$$\begin{array}{c}\hfill \mathsf{G}=\left[\begin{array}{ccccc}1& 0& 1& 1& 1\\ 0& 1& 1& 1& 0\end{array}\right],\mathsf{H}=\left[\begin{array}{ccccc}1& 1& 1& 0& 0\\ 1& 1& 0& 1& 0\\ 1& 0& 0& 0& 1\end{array}\right].\end{array}$$

(72)

The syndromes $\mathsf{s}$ have length $⌈\overline{L}⌉$. Specifically,

$$\begin{array}{cc}\hfill {\mathsf{s}}_1& =W_1{\mathsf{H}}^T=\left[\begin{array}{ccc}{a}_1+a_2+a_3& a_1+a_2+a_4& a_1+a_5\end{array}\right]\hfill \end{array}$$

$$\begin{array}{cc}\hfill & \triangleq \left[\begin{array}{ccc}{\overline{a}}_1& {\overline{a}}_2& {\overline{a}}_3\end{array}\right],\hfill \end{array}$$

(73)

$$\begin{array}{cc}\hfill {\mathsf{s}}_2& =W_2{\mathsf{H}}^T=\left[\begin{array}{ccc}{b}_1+b_2+b_3& b_1+b_2+b_4& b_1+b_5\end{array}\right]\hfill \end{array}$$

$$\begin{array}{cc}\hfill & \triangleq \left[\begin{array}{ccc}{\overline{b}}_1& {\overline{b}}_2& {\overline{b}}_3\end{array}\right].\hfill \end{array}$$

(74)

Since $⌈\overline{L}⌉=N^{K-1}+1$, we follow the methodology in [34]; we privately download $N^{K-1}=2$ bits (${\overline{a}}_1$ and ${\overline{a}}_2$) using the non-symmetric PIR scheme in the previous example, and then privately download the remaining 1 bit (${\overline{a}}_3$) using the scheme in [37]. The technique in [37] in this case is such that the user requests random linear combinations of $\left[{\overline{a}}_3{\overline{b}}_3\right]$ from database 1 using a random binary vector h, and the same from database 2 yet with $h^{\prime }=h+e_{\theta }$, where $e_i$ is the ith standard basis vector. The full PIR scheme is shown in

Table 3. Query table for $N=K=2$, $L=5$, $f=1$, and $r=0$.

Database 1	Database 2
${\overline{a}}_1$, ${\overline{b}}_1$	${\overline{a}}_2+{\overline{b}}_1$
$h_1{\overline{a}}_3+h_2{\overline{b}}_3$	$(h_1+1){\overline{a}}_3+h_2{\overline{b}}_3$

, and it has a download cost of $\overline{D}=5$ bits, which is 1 bit away from the converse bound since the code used is non-perfect.

5.2. The General Scheme with Caching

For general L, N, K, and f, we construct an $[L,L-⌈\overline{L}⌉,2f+1]$ linear block code. From the Gilbert–Varshamov bound [33], we know that such a code exists if

$$\begin{array}{c}\hfill 2^{⌈\overline{L}⌉}\le {\displaystyle \sum _{j=0}^{2f}}\left({\displaystyle \genfrac{}{}{0pt}{}{L}{j}}\right).\end{array}$$

(75)

In addition, such a code must satisfy the Hamming bound [33]:

$$\begin{array}{c}\hfill {\displaystyle \sum _{j=0}^f}\left({\displaystyle \genfrac{}{}{0pt}{}{L}{j}}\right)\le 2^{⌈\overline{L}⌉}.\end{array}$$

(76)

By the definition of $\overline{L}$ in (9), both (75) and (76) are satisfied, and so the code exists and is able to correct f bit flips.

Next, we map each message to its corresponding syndrome of the constructed code, which is of length $L-(L-⌈\overline{L}⌉)=⌈\overline{L}⌉$. The user then retrieves the syndrome ${\mathsf{s}}_{\theta }$ according to a PIR scheme with N databases, K messages, and $⌈\overline{L}⌉$ message length. For the case $r=0$, by ([34], Theorem 1), a download cost of $⌈⌈\overline{L}⌉/C⌉$ is achievable in this case. Finally, correctness is guaranteed since querying for the syndrome ${\mathsf{s}}_{\theta }$ allows the user to decode $W_{\theta }$ as the unique word in the syndrome’s coset with the least Hamming distance from ${\hat{W}}_{\theta }$ [32]. This shows that (22) holds specifically when $r=0$.

For the case when $r\ne 0$, the user will have access to cached linear combinations of $W_i$ for all $i\in \left[K\right]$. These cached linear combinations are given by $W_i{R}_i$, where $R_i$ is a matrix of dimension $(L\times ⌈\overline{L}⌉)$. For the purposes of our cache-aided achievability, we let

$$\begin{array}{c}\hfill R_i={\mathsf{H}}^T,\forall i\in \left[K\right],\end{array}$$

(77)

where $\mathsf{H}$ is the parity check matrix of the code. This means that during the prefetching phase, bits from our desired syndrome are being cached, and what is left to download is the remaining $⌈\overline{L}⌉-Lr$ bits.

To this end, we develop some novel schemes for cache-aided PIR with an arbitrary message length that utilize the results from [29]. In particular, for all $s\in \{1,2,\dots ,K-1\}$, we define the message length of a cache-aided PIR scheme from [29] with caching ratio $r_s$ as

$$\begin{array}{cc}\hfill L_r\left(s\right)& =\left({\displaystyle \genfrac{}{}{0pt}{}{K-2}{s-1}}\right)+{\displaystyle \sum _{i=0}^{K-1-s}}\left({\displaystyle \genfrac{}{}{0pt}{}{K-1}{s+i}}\right){(N-1)}^{i}N,\hfill \end{array}$$

(78)

and the normalized download cost of such a scheme as

$$\begin{array}{cc}\hfill D_r\left(s\right)& ={\displaystyle \frac{{\sum }_{i=0}^{K-1-s}\left(\genfrac{}{}{0pt}{}{K}{s+1+i}\right){(N-1)}^{i}N}{\left(\genfrac{}{}{0pt}{}{K-2}{s-1}\right)+{\sum }_{i=0}^{K-1-s}\left(\genfrac{}{}{0pt}{}{K-1}{s+i}\right){(N-1)}^{i}N}}.\hfill \end{array}$$

(79)

For very low caching ratio r, we recall from [29] that the optimal normalized download cost of a cache-aided PIR scheme is

$$\begin{array}{c}\hfill D^{\ast }\left(r\right)=(1-r)·{\displaystyle \sum _{i=0}^{K-1}}{\displaystyle \frac{1}{N^i}}-r·{\displaystyle \sum _{i=0}^{K-2}}{\displaystyle \frac{K-1-i}{N^i}},\end{array}$$

(80)

and that for very high caching ratio r (in the context of this work), the optimal normalized download cost of a cache-aided PIR scheme is

$$\begin{array}{c}\hfill D^{\ast }\left(r\right)=(1-r).\end{array}$$

(81)

With these tools in hand, in the remainder of this section, we describe our achievable schemes for very low and very high caching ratios for cache-aided PIR with arbitrary message length, and show that they achieve the download costs in Theorem 2.

5.3. Very Low Caching Ratio: Proof of (22)

What follows is a cache-aided achievable scheme for retrieving an arbitrary L bits for very low caching ratios ($0<r\le r_1={\displaystyle \frac{1}{1+N+N^2+\cdots +N^{K-1}}}$). We first use an optimal cache-aided PIR scheme with message size $L_r\left(1\right)$. Within the desired L bits (including the cached bits), we view each $L_r\left(1\right)$ bits as a group, and proceed until the number of desired bits remaining is strictly less than $L_r\left(1\right)$. To this end, we have

$$\begin{array}{c}\hfill L=G_0{L}_r\left(1\right)+L_0,\end{array}$$

(82)

where $G_0=⌊{\displaystyle \frac{L}{L_r\left(1\right)}}⌋$ and $0\le L_0\le L_r\left(1\right)-1$. If $L_0=0$, then the retrieval is completed. If not, then for the $L_0$ bits that remain, we use an optimal asymmetric PIR scheme with message size $N^{K-1}$ (without caching). Within the remaining $L_0$ desired bits, we view each $N^{K-1}$ bits as a group, and proceed until the number of desired bits remaining is strictly less than $N^{K-1}$. To this end, we have

$$\begin{array}{c}\hfill L_0=G_1{N}^{K-1}+L_1,\end{array}$$

(83)

where $G_1=⌊{\displaystyle \frac{L_0}{N^{k-1}}}⌋$ and $0\le L_1\le N^{K-1}-1$. If $L_1=0$, then the retrieval is completed. If not, then for the $L_1$ bits that remain, we use the scheme in [37] with N databases and message size $N-1$. Within the remaining $L_1$ bits, we view each $N-1$ bits as a group, and proceed until the number of desired bits remaining is strictly less than $N-1$. To this end, we have

$$\begin{array}{c}\hfill L_1=G_2(N-1)+L_2,\end{array}$$

(84)

where $G_2=⌊{\displaystyle \frac{L_1}{N-1}}⌋$ and $0\le L_2\le N-2$. If $L_2=0$, then the retrieval is completed. If $L_2$ bits still remain, we use the scheme in [37] with $L_2+1$ databases and message size $L_2$. Therefore, the message size and the achievable download cost are

$$\begin{array}{cc}\hfill L& =G_0{L}_r\left(1\right)+G_1{N}^{K-1}+G_2(N-1)+L_2,\hfill \end{array}$$

(85)

$$\begin{array}{cc}\hfill D& =\left\{\begin{array}{cc}{G}_0{L}_r\left(1\right)D^{\ast }\left(r_1\right)+G_1{\displaystyle \frac{N^{K-1}}{C}}+G_{2}N,\hfill & \mathrm{if} L_2=0,\hfill \\ G_0{L}_r\left(1\right)D^{\ast }\left(r_1\right)+G_1{\displaystyle \frac{N^{K-1}}{C}}+G_{2}N+L_2+1,\hfill & \mathrm{otherwise}.\hfill \end{array}\right.\hfill \end{array}$$

(86)

We next show that the achievable download cost in (86) satisfies $D\le \lceil D^{\ast }\left(r\right)·L\rceil$. To this end, we have the following lemma.

Lemma 3. 

For two very low caching ratios $r_a$ and $r_b$ with $0\le r_a\le r_b\le r_1$, we have

$$\begin{array}{c}\hfill D^{\ast }\left(r_a\right)-D^{\ast }\left(r_b\right)=(r_b-r_a)·D_c,\end{array}$$

(87)

where $D_c={\sum }_{i=0}^{K-1}{\displaystyle \frac{K-i}{N^i}}$.

Proof. 

We begin from the left-hand side of (87) and use (80) to write

$$\begin{array}{cc}\hfill & D^{\ast }\left(r_a\right)-D^{\ast }\left(r_b\right)\hfill \end{array}$$

$$\begin{array}{cc}\hfill & =\left((1-r_a)·{\displaystyle \sum _{i=0}^{K-1}}{\displaystyle \frac{1}{N^i}}-r_a·{\displaystyle \sum _{i=0}^{K-2}}{\displaystyle \frac{K-1-i}{N^i}}\right)-\left((1-r_b)·{\displaystyle \sum _{i=0}^{K-1}}{\displaystyle \frac{1}{N^i}}-r_b·{\displaystyle \sum _{i=0}^{K-2}}{\displaystyle \frac{K-1-i}{N^i}}\right)\hfill \end{array}$$

(88)

$$\begin{array}{cc}\hfill & =(r_b-r_a)·{\displaystyle \sum _{i=0}^{K-1}}{\displaystyle \frac{1}{N^i}}+(r_b-r_a)·{\displaystyle \sum _{i=0}^{K-2}}{\displaystyle \frac{K-1-i}{N^i}}\hfill \end{array}$$

(89)

$$\begin{array}{cc}\hfill & =(r_b-r_a)·{\displaystyle \sum _{i=0}^{K-1}}{\displaystyle \frac{1+(K-1-i)}{N^i}}\hfill \end{array}$$

(90)

$$\begin{array}{cc}\hfill & =(r_b-r_a)·{\displaystyle \sum _{i=0}^{K-1}}{\displaystyle \frac{K-i}{N^i}}.\hfill \end{array}$$

(91)

Defining $D_c={\sum }_{i=0}^{K-1}{\displaystyle \frac{K-i}{N^i}}$ concludes the proof. □

Now towards proving $D\le \lceil D^{\ast }\left(r\right)·L\rceil$, it suffices to show that $D<D^{\ast }\left(r\right)·L+1$ for two cases. For the first case, let $L_2=0$. We wish to show that

$$\begin{array}{cc}\hfill & G_0{L}_r\left(1\right)D^{\ast }\left(r_1\right)+G_1{\displaystyle \frac{N^{K-1}}{C}}+G_{2}N+L_2\hfill \end{array}$$

$$\begin{array}{cc}\hfill & <D^{\ast }\left(r\right)·\left(G_0{L}_r\left(1\right)+G_1{N}^{K-1}+G_2(N-1)+L_2\right)+1.\hfill \end{array}$$

(92)

First, we group the terms in (92); we need to show that

$$\begin{array}{cc}\hfill & -G_0{L}_r\left(1\right)·\left(D^{\ast }\left(r\right)-D^{\ast }\left(r_1\right)\right)+G_1{N}^{K-1}·\left({\displaystyle \frac{1}{C}}-D^{\ast }\left(r\right)\right)-(G_2(N-1)+L_2)D^{\ast }\left(r\right)\hfill \end{array}$$

$$\begin{array}{cc}\hfill & <1-G_{2}N-L_2.\hfill \end{array}$$

(93)

Focusing on the left-hand side of (93), we use Lemma 3 to simplify the expression, while noting that $D^{\ast }\left(0\right)={\displaystyle \frac{1}{C}}$, as follows:

$$\begin{array}{cc}\hfill & -G_0{L}_r\left(1\right)·\left(D^{\ast }\left(r\right)-D^{\ast }\left(r_1\right)\right)+G_1{N}^{K-1}·\left({\displaystyle \frac{1}{C}}-D^{\ast }\left(r\right)\right)-(G_2(N-1)+L_2)D^{\ast }\left(r\right)\hfill \end{array}$$

$$\begin{array}{cc}\hfill & =-G_0{L}_r\left(1\right)D_c(r_1-r)+G_1{N}^{K-1}{D}_{c}r-(G_2(N-1)+L_2)\left({\displaystyle \frac{1}{C}}-D_{c}r\right)\hfill \end{array}$$

(94)

$$\begin{array}{cc}\hfill & =D_c·\left(-G_0{L}_r\left(1\right)r_1+G_0{L}_r\left(1\right)r+G_1{N}^{K-1}r+G_2(N-1)r+L_{2}r\right)-{\displaystyle \frac{G_2(N-1)+L_2}{C}}\hfill \end{array}$$

(95)

$$\begin{array}{cc}\hfill & =D_c·\left(-G_0{L}_r\left(1\right)r_1+Lr\right)-{\displaystyle \frac{G_2(N-1)+L_2}{C}}\hfill \end{array}$$

(96)

$$\begin{array}{cc}\hfill & =D_c·\left(-G_0+Lr\right)-{\displaystyle \frac{G_2(N-1)+L_2}{C}}.\hfill \end{array}$$

(97)

Note that $Lr$ is the number of cached bits, and that $G_0$ is the number of times a cache-aided PIR scheme is used. For very low caching ratios, these quantities are equal, and so we have

$$\begin{array}{c}\hfill D_c·\left(Lr-G_0\right)-{\displaystyle \frac{G_2(N-1)+L_2}{C}}=-{\displaystyle \frac{G_2(N-1)+L_2}{C}}.\end{array}$$

(98)

Now, substituting (98) back into (93), we now need to show

$$\begin{array}{c}\hfill 0<1-G_{2}N-L_2+{\displaystyle \frac{G_2(N-1)+L_2}{C}}.\end{array}$$

(99)

If $N=1$, then $G_2=0$, and so (99) clearly follows. For the case when $N\ge 2$, plugging in $C={\displaystyle \frac{N^{K-1}(N-1)}{N^K-1}}$ to the right-hand side of (99) gives

$$\begin{array}{cc}\hfill & 1-G_{2}N-L_2+{\displaystyle \frac{G_2(N-1)+L_2}{C}}\hfill \end{array}$$

(100)

$$\begin{array}{cc}\hfill & =1-G_{2}N+G_2{\displaystyle \frac{N^K-1}{N^{K-1}}}+L_2\left({\displaystyle \frac{N^K-1}{N^{K-1}(N-1)}}-1\right)\hfill \end{array}$$

$$\begin{array}{cc}\hfill & =1-G_2{\displaystyle \frac{1}{N^{K-1}}}+L_2\left({\displaystyle \frac{N^{K-1}-1}{N^{K-1}(N-1)}}\right).\hfill \end{array}$$

(101)

We wish to find a lower bound for (101). To this end, we want to maximize $G_2$ and minimize $L_2$. We know that $L_2\ge 1$, but this also means that $G_2(N-1)<L_1\le N^{K-1}-1$ from (84). Plugging these values into (101) gives

$$\begin{array}{cc}\hfill & 1-G_2{\displaystyle \frac{1}{N^{K-1}}}+L_2\left({\displaystyle \frac{N^{K-1}-1}{N^{K-1}(N-1)}}\right)\hfill \end{array}$$

$$\begin{array}{cc}\hfill & \ge 1-{\displaystyle \frac{G_2(N-1)}{N^{K-1}(N-1)}}+{\displaystyle \frac{N^{K-1}-1}{N^{K-1}(N-1)}}\hfill \end{array}$$

(102)

$$\begin{array}{cc}\hfill & >1-{\displaystyle \frac{N^{K-1}-1}{N^{K-1}(N-1)}}+{\displaystyle \frac{N^{K-1}-1}{N^{K-1}(N-1)}}=1.\hfill \end{array}$$

(103)

and so (99) holds for $N\ge 2$.

For the second case, let $L_2\ge 1$. We wish to show that

$$\begin{array}{cc}\hfill & G_0{L}_r\left(1\right)D^{\ast }\left(r_1\right)+G_1{\displaystyle \frac{N^{K-1}}{C}}+G_{2}N+L_2+1\hfill \end{array}$$

$$\begin{array}{cc}\hfill & <D^{\ast }\left(r\right)·\left(G_0{L}_r\left(1\right)+G_1{N}^{K-1}+G_2(N-1)+L_2\right)+1.\hfill \end{array}$$

(104)

First, we group the terms in (104); we need to show that

$$\begin{array}{cc}\hfill & G_1{N}^{K-1}·\left({\displaystyle \frac{1}{C}}-D^{\ast }\left(r\right)\right)-G_0{L}_r\left(1\right)·\left(D^{\ast }\left(r\right)-D^{\ast }\left(r_1\right)\right)-(G_2(N-1)+L_2)D^{\ast }\left(r\right)\hfill \end{array}$$

$$\begin{array}{cc}\hfill & <1-G_{2}N-L_2-1.\hfill \end{array}$$

(105)

By (98), we substitute the left-hand side of (105) so that we have

$$\begin{array}{c}\hfill 0<1-G_{2}N-L_2+{\displaystyle \frac{G_2(N-1)+L_2}{C}}-1.\end{array}$$

(106)

Since $L_2\ge 1$, we have $N\ge 2$, and so (106) holds by (103). This completes the proof that $D\le \lceil D^{\ast }\left(r\right)·L\rceil$ for very low caching ratios.

Since the above PIR scheme is constructed as a concatenation of several PIR schemes that are both correct and private, by ([34], Theorem 4), the above scheme is both correct and private. To conclude our proof, we define a normalized version of r:

$$\begin{array}{c}\hfill \tilde{r}={\displaystyle \frac{Lr}{⌈\overline{L}⌉}},\end{array}$$

(107)

as the effective caching ratio. Clearly, by (13), $0\le \tilde{r}\le 1$. Now, since the above PIR scheme retrieves L bits (including cached bits) at a download cost of $D\le \lceil D^{\ast }\left(r\right)·L\rceil$, this scheme can be used to retrieve $⌈\overline{L}⌉$ bits (including some $Lr$ cached bits) at a download cost of $\overline{D}\le ⌈D^{\ast }\left(\tilde{r}\right)·⌈\overline{L}⌉⌉$. Expanding this statement gives

$$\begin{array}{cc}\hfill & \overline{D}\le ⌈D^{\ast }\left(\tilde{r}\right)·⌈\overline{L}⌉⌉\hfill \end{array}$$

(108)

$$\begin{array}{cc}\hfill & =⌈⌈\overline{L}⌉(1-\tilde{r})·{\displaystyle \sum _{i=0}^{K-1}}{\displaystyle \frac{1}{N^i}}-⌈\overline{L}⌉\tilde{r}·{\displaystyle \sum _{i=0}^{K-2}}{\displaystyle \frac{K-1-i}{N^i}}⌉\hfill \end{array}$$

(109)

$$\begin{array}{cc}\hfill & =⌈\left(⌈\overline{L}⌉-Lr\right)·{\displaystyle \sum _{i=0}^{K-1}}{\displaystyle \frac{1}{N^i}}-Lr·{\displaystyle \sum _{i=0}^{K-2}}{\displaystyle \frac{K-1-i}{N^i}}⌉,\hfill \end{array}$$

(110)

which is precisely (22).

5.4. Very High Caching Ratio: Proof of (23)

What follows is a cache-aided achievable scheme for retrieving an arbitrary L bits, for very high caching ratios ($r_{K-1}={\displaystyle \frac{1}{1+N}}\le r\le 1$). In this scheme, we only use an optimal cache-aided PIR scheme with message size $L_r(K-1)=1+N$. We note that in this scheme, for each bit we have cached, we can download 1 bit from each of the N databases to get a total of N unknown bits at a download cost of N bits.

Within the desired L bits (including cached bits), we view each $L_r(K-1)$ bits as a group, and proceed until the number of desired and unknown $L-Lr$ bits remaining is strictly less than N. To this end, we have

$$\begin{array}{c}\hfill L=G_0{L}_r(K-1)+L_0,\end{array}$$

(111)

where $G_0=⌊{\displaystyle \frac{L-Lr}{N}}⌋$, and $L_0=L-G_0{L}_r(K-1)$. We define $C_0=Lr-G_0$ as the number of unused cached bits thus far in our scheme. If we have $L_0=C_0$, then we have all of our desired information, and we are done. Otherwise, we still have $L_0-C_0<N$ bits left to download. Since the caching ratio r is very high, we have $C_0\ge 1$, and so we can use this bit, as noted above, to download 1 bit from $L_0-C_0<N$ databases each to obtain the remaining $L_0-C_0$ unknown bits at a download cost of $L_0-C_0$ bits. Therefore, the message size and the achievable download cost are

$$\begin{array}{cc}\hfill L& =G_0{L}_r(K-1)+L_0,\hfill \end{array}$$

(112)

$$\begin{array}{cc}\hfill D& =G_0{L}_r(K-1)D^{\ast }\left(r_{K-1}\right)+L_0-C_0.\hfill \end{array}$$

(113)

We next show that the achievable download cost in (113) satisfies $D\le \lceil D^{\ast }\left(r\right)·L\rceil$. To this end, it it suffices to show that $D<D^{\ast }\left(r\right)·L+1$, or more specifically, that

$$\begin{array}{cc}\hfill & G_0{L}_r(K-1)D^{\ast }\left(r_{K-1}\right)+L_0-C_0<D^{\ast }\left(r\right)·L+1.\hfill \end{array}$$

(114)

First, we rearrange the terms in (114) as

$$\begin{array}{cc}\hfill & G_0{L}_r(K-1)D^{\ast }\left(r_{K-1}\right)+L_0-C_0-D^{\ast }\left(r\right)·L<1,\hfill \end{array}$$

(115)

and then we reduce the left-hand side of (115) as follows

$$\begin{array}{cc}\hfill & G_0{L}_r(K-1)D^{\ast }\left(r_{K-1}\right)+L_0-C_0-D^{\ast }\left(r\right)·L\hfill \end{array}$$

$$\begin{array}{cc}\hfill & =G_0(1+N)(1-{\displaystyle \frac{1}{1+N}})+L_0-C_0-(1-r)·L\hfill \end{array}$$

(116)

$$\begin{array}{cc}\hfill & =G_{0}N+L_0-C_0-L+Lr\hfill \end{array}$$

(117)

$$\begin{array}{cc}\hfill & =-C_0-G_0+Lr=0.\hfill \end{array}$$

(118)

Thus, (114) holds, and so this completes the proof that $D\le \lceil D^{\ast }\left(r\right)·L\rceil$ for very high caching ratios.

Again, since the above PIR scheme is constructed as a concatenation of several PIR schemes that are both correct and private, by ([34], Theorem 4), the above scheme is both correct and private. Furthermore, since the above PIR scheme retrieves L bits (including cached bits) at a download cost of $D\le \lceil D^{\ast }\left(r\right)·L\rceil$, this scheme can be used to retrieve $⌈\overline{L}⌉$ bits (including some $Lr$ cached bits) at a download cost of $\overline{D}\le ⌈D^{\ast }\left(\tilde{r}\right)·⌈\overline{L}⌉⌉$. Expanding this statement gives

$$\begin{array}{cc}\hfill \overline{D}& \le ⌈D^{\ast }\left(\tilde{r}\right)·⌈\overline{L}⌉⌉\hfill \end{array}$$

(119)

$$\begin{array}{cc}\hfill & =⌈(1-\tilde{r})·⌈\overline{L}⌉⌉\hfill \end{array}$$

(120)

$$\begin{array}{cc}\hfill & =⌈⌈\overline{L}⌉-Lr⌉=⌈\overline{L}⌉-Lr,\hfill \end{array}$$

(121)

which is precisely (23).

6. Proof of Theorem 3: Achievability for $\mathbf{K}=\mathbf{3}$ with Mid-Range Caching Ratios

What follows is a cache-aided achievable scheme for retrieving an arbitrary L bits, for mid-range caching ratios given fixed $K=3$ setting $\left({\displaystyle \frac{1}{1+N+N^2}}=r_1<r<r_2={\displaystyle \frac{1}{1+N}}\right)$. This scheme leverages cache-aided PIR schemes for very high and very low caching ratios but within an asymmetric PIR setting instead.

First, consider the asymmetric cache-aided PIR scheme with $N=3$ and $L=3$ in

Table 4. Asymmetric query table with $N=K=L=3$ and very high r. Here, we have $Z=\{a_1,a_2,b_1,b_2,c_1,c_2\}$.

Database 1	Database 2	Database 3
$a_3+b_1+c_1$

. This scheme does not utilize all of the databases, nor does it utilize the cache in full. This scheme downloads one useful bit privately at a cost of 1 bit, and it is an asymmetric version of the cache-aided PIR scheme for very high caching ratios. This scheme can be repeated up to five more times to get up to five more useful bits, and each additional bit is obtained privately.

Next, consider the asymmetric cache-aided PIR scheme with $N=3$ and $L=6$ in

Table 5. Asymmetric query table with $N=K=3$, $L=6$ and very low r. Here, we have $Z=\{a_1,a_2,b_1,b_2,c_1,c_2\}$.

Database 1	Database 2	Database 3
$a_3+b_1$
$a_4+c_1$
$b_3+c_3$
	$a_5+b_3+c_3$	$a_6+b_3+c_3$

. While this scheme does utilize all of the databases, it has asymmetric traffic between the databases, and it also does not utilize the cache in full. This scheme downloads $1+N$ useful bits at a cost of $2+N$, and it is an asymmetric version of the cache-aided PIR scheme for very low caching ratios. Once again, this scheme can be repeated up to five more times to get up to $5·(1+N)$ more useful bits, and each additional set of $1+N$ bits is obtained privately.

In these examples, we see that each scheme can be used a total of $N·Lr=6$ times. Now, note that these two schemes can be used in conjunction with one another, and that rather than repeating the same scheme over and over again, we can just use them interchangeably to suit our needs.

Consider a cache-aided PIR example where $N=3$, $L=14$, and $r={\displaystyle \frac{2}{14}}$. Note that r is now mid-range. We can use a combination of the asymmetric very high caching ratio scheme and very low caching ratio scheme to download the remaining 12 useful bits as shown in

Table 6. Query table for $N=K=3$, $L=14$, and mid-range caching ratio $r={\displaystyle \frac{2}{14}}$. Here, we have $Z=\{a_1,a_2,b_1,b_2,c_1,c_2\}$.

Database 1	Database 2	Database 3
$a_3+b_1+c_1$	$a_4+b_1+c_1$	$a_5+b_1+c_1$
		$a_6+b_2+c_2$
$a_7+b_2$	$a_{11}+b_2$
$a_8+c_2$	$a_{12}+c_2$
$b_3+c_3$	$b_4+c_4$
	$a_9+b_3+c_3$	$a_{10}+b_3+c_3$
$a_{13}+b_4+c_4$		$a_{14}+b_4+c_4$

. First, we use the asymmetric very high caching ratio scheme four times to obtain four useful bits at a cost of 4 bits total. Then, we use the the asymmetric very low caching ratio scheme two times to download the remaining $2·(1+N)=8$ useful bits at a cost of $2·(2+N)=10$, and so the total download cost is 14.

It is also worth noting that in the same scenario, but with $L=13$ and $r={\displaystyle \frac{2}{13}}$, we can use almost the almost the same query structure as in Table 6. The only difference is that we truncate the given scheme by not making the query for $a_{14}$. In this particular case, this truncation strategy can be performed again to obtain an $L=12$, $r={\displaystyle \frac{2}{12}}$ query structure.

In general, one can use a combination of $N·Lr-1$ very high and very low caching ratio schemes, and then if the remaining number of useful bits left to download is some ℓ with $1<\mathcal{l}<N+1$, use a truncated very low caching ratio scheme. Otherwise, just a normal very high or very low caching ratio scheme can be used.

In order to determine the number of times these very high and very low schemes are used, along with the number of bits that are downloaded via the truncation strategy, we define three terms as follows:

$$\begin{array}{cc}\hfill G_1& =⌊{\displaystyle \frac{L_r\left(1\right)·Lr-L}{N}}⌋,\hfill \end{array}$$

(122)

$$\begin{array}{cc}\hfill G_2& =⌊{\displaystyle \frac{L-L_r\left(2\right)·Lr}{N}}⌋,\hfill \end{array}$$

(123)

$$\begin{array}{cc}\hfill L_3& =L-(G_1+G_2(1+N))-Lr.\hfill \end{array}$$

(124)

The $G_1$ term is the number of times a very high caching ratio scheme is used, while $G_2$ is the number of times a very low caching ratio scheme is used. The $L_3$ term is the number of bits obtained from the truncation strategy when it is used. According to these terms, it follows that the message size and the achievable download cost are

$$\begin{array}{cc}\hfill L& =G_1+G_2(1+N)+L_3+Lr,\hfill \end{array}$$

(125)

$$\begin{array}{cc}\hfill D& =\left\{\begin{array}{cc}{G}_1+G_2(2+N),\hfill & \mathrm{if} L_3=0,\hfill \\ G_1+G_2(2+N)+L_3+1,\hfill & \mathrm{otherwise}.\hfill \end{array}\right.\hfill \end{array}$$

(126)

Lastly, for mid-range caching ratios with $K=3$, we recall from [29] that the optimal normalized download cost of a cache-aided PIR scheme is

$$\begin{array}{c}\hfill D^{\ast }\left(r\right)=(1-r)\left(1+{\displaystyle \frac{1}{N}}\right)-r.\end{array}$$

(127)

We next show that the achievable download cost in (126) satisfies $D\le ⌈D^{\ast }\left(r\right)·L⌉$. To this end, it suffices to show that $D<D^{\ast }\left(r\right)·L+1$ for two cases. For the first case, let $L_3=0$. We wish to show that

$$\begin{array}{cc}\hfill & G_1+G_2(2+N)+L_3-D^{\ast }\left(r\right)·L<1.\hfill \end{array}$$

(128)

Reducing the left-hand side of (128), we have

$$\begin{array}{cc}\hfill & G_1+G_2(2+N)+L_3-D^{\ast }\left(r\right)·L\hfill \end{array}$$

$$\begin{array}{cc}\hfill & =G_1+G_2(2+N)+L_3-((1-r)·(1+{\displaystyle \frac{1}{N}})-r)·L\hfill \end{array}$$

(129)

$$\begin{array}{cc}\hfill & =G_1+G_2(2+N)+L_3-(1-2r+{\displaystyle \frac{1-r}{N}})·(G_1+G_2(1+N)+L_3+Lr)\hfill \end{array}$$

(130)

$$\begin{array}{cc}\hfill & =G_2-Lr+(2r-{\displaystyle \frac{1-r}{N}})·L\hfill \end{array}$$

(131)

$$\begin{array}{cc}\hfill & =G_2+Lr-{\displaystyle \frac{L-Lr}{N}}\hfill \end{array}$$

(132)

$$\begin{array}{cc}\hfill & =G_2-{\displaystyle \frac{L-(1+N)·Lr}{N}}\hfill \end{array}$$

(133)

$$\begin{array}{cc}\hfill & =G_2-{\displaystyle \frac{L-L_r\left(2\right)·Lr}{N}}.\hfill \end{array}$$

(134)

Substituting (134) into (128), we need to show that

$$\begin{array}{c}\hfill G_2-{\displaystyle \frac{L-L_r\left(2\right)·Lr}{N}}<1,\end{array}$$

(135)

which clearly holds by (123). It follows that (128) holds when $L_3=0$. To show that this is also the case when $L_3\ge 1$, we use a lemma.

Lemma 4. 

In the $K=3$ setting, for any caching ratio r with ${\displaystyle \frac{1}{1+N+N^2}}=r_1<r<r_2={\displaystyle \frac{1}{1+N}}$, we have

$$\begin{array}{c}\hfill L_3=0⟺{\displaystyle \frac{L-L_r\left(2\right)·Lr}{N}}\in \mathbb{Z}\end{array}$$

(136)

The proof of Lemma 4 can be found in Appendix B.

Now, for the second case, let $L_3\ge 1$. We wish to show that

$$\begin{array}{cc}\hfill & G_1+G_2(2+N)+L_3-D^{\ast }\left(r\right)·L<0.\hfill \end{array}$$

(137)

By (134), we substitute the left-hand side of (137) so that we have

$$\begin{array}{c}\hfill G_2-{\displaystyle \frac{L-L_r\left(2\right)·Lr}{N}}<0,\end{array}$$

(138)

which holds by Lemma 4. Thus, this completes the proof that $D\le ⌈D^{\ast }\left(r\right)·L⌉$ for mid-range caching ratios in the $K=3$ setting.

Since the above PIR scheme is constructed as a concatenation of several PIR schemes that are both correct and private (by [34], Theorem 4), the above scheme is both correct and private. Furthermore, since the above PIR scheme retrieves L bits (including cached bits) at a download cost of $D\le \lceil D^{\ast }\left(r\right)·L\rceil$, this scheme can be used to retrieve $⌈\overline{L}⌉$ bits (including some $Lr$ cached bits) at a download cost of $\overline{D}\le ⌈D^{\ast }\left(\tilde{r}\right)·⌈\overline{L}⌉⌉$. Expanding this statement gives

$$\begin{array}{cc}\hfill \overline{D}& \le ⌈D^{\ast }\left(\tilde{r}\right)·⌈\overline{L}⌉⌉\hfill \end{array}$$

(139)

$$\begin{array}{cc}\hfill & =⌈⌈\overline{L}⌉(1-\tilde{r})\left(1+{\displaystyle \frac{1}{N}}\right)-⌈\overline{L}⌉\tilde{r}⌉\hfill \end{array}$$

(140)

$$\begin{array}{cc}\hfill & =⌈\left(⌈\overline{L}⌉-Lr\right)\left(1+{\displaystyle \frac{1}{N}}\right)-Lr⌉\hfill \end{array}$$

(141)

which is precisely (26).

7. Discussion

As seen in Corollary 1, for very low and very high effective caching ratios, we obtain full characterizations of the optimal download cost ${\overline{D}}_L$ for fixed $L,N,K,$ and f. What remains is to perform the same for an effective caching ratio $\tilde{r}$, defined in (107), with ${\displaystyle \frac{1}{1+N+N^2+\cdots +N^{K-1}}}=r_1\le \tilde{r}\le r_{K-1}={\displaystyle \frac{1}{1+N}}$, i.e., such caching ratios that are mid-range. With Theorem 3 and Corollary 2, this has been performed for the $K=3$ case. However, this is still an open question for when K is arbitrary.

Our approach for our achievability when $\tilde{r}\ne 0$ has been to describe an arbitrary message length PIR scheme for a setting with unknown prefetching, and then show that the download cost D of such a scheme satisfies $D\le ⌈D^{\ast }\left(\tilde{r}\right)·⌈\overline{L}⌉⌉$. This approach mirrors what was performed in [34] for the classical PIR setting.

From [29], for $r_s<r<r_{s+1}$ and $\alpha \in [0,1]$ with $r=\alpha r_s+(1-\alpha )r_{s+1}$, we define

$$\begin{array}{c}\hfill \overline{D}\left(r\right)=\alpha D_r\left(s\right)+(1-\alpha )D_r(s+1).\end{array}$$

(142)

We know that $\overline{D}\left(r\right)=D^{\ast }\left(r\right)$ for very low and very high caching ratio r, and this is used in our approach for Theorem 2. This is likewise the case for mid-range caching ratios r when $K=3$ in Theorem 3. For when $\overline{D}\left(r\right)\ne D^{\ast }\left(r\right)$, as is the case for most mid-range caching ratios, we can still attempt to describe a scheme, and show that the download cost $D\le ⌈\overline{D}\left(\tilde{r}\right)·⌈\overline{L}⌉⌉$ to obtain some useful result.

Our goal in this section is to present a motivating example that shows what these results may look like. Consider the following example setting: $N=3$, $K=4$, and $r_{K-2}\le r\le r_{K-1}$. We have $r_1={\displaystyle \frac{1}{40}}$ and $r_{K-1}={\displaystyle \frac{1}{4}}$, and so a caching ratio is mid-range in this setting if ${\displaystyle \frac{1}{40}}\le r\le {\displaystyle \frac{1}{4}}$. However, for our purposes, we will focus on the subset of mid-range caching ratios r satisfying $r_{K-2}={\displaystyle \frac{2}{17}}\le r\le {\displaystyle \frac{1}{4}}$. With this in mind, let us consider some scenarios with a caching ratio $r={\displaystyle \frac{1}{7}}$ starting with the case when the number of cached bits is 3, and so the total message length is 21. Using the methods found in this work, we have a scheme satisfying $D\le ⌈\overline{D}\left(\tilde{r}\right)·⌈\overline{L}⌉⌉$ given in

Table 7. Query table for $N=3$, $K=4$, $L=21$, and $r={\displaystyle \frac{3}{21}}$. Here, we have $Z=\{a_1,a_2,a_3,b_1,b_2,b_3,c_1,c_2,c_3,d_1,d_2,d_3\}$.

Database 1	Database 2	Database 3
$a_4+b_1+c_1$	$a_7+b_1+c_1$	$a_{10}+b_1+c_1$
$a_5+b_2+d_1$	$a_8+b_2+d_1$	$a_{11}+b_2+d_1$
$a_6+c_2+d_2$	$a_9+c_2+d_2$	$a_{12}+b_2+d_2$
$b_4+c_4+d_4$	$b_5+c_5+d_5$	$b_6+c_6+d_6$
$a_{13}+b_5+c_5+d_5$	$a_{15}+b_4+c_4+d_4$	$a_{17}+b_4+c_4+d_4$
$a_{14}+b_6+c_6+d_6$	$a_{16}+b_6+c_6+d_6$	$a_{18}+b_5+c_5+d_5$
$a_{19}+b_3+c_3+d_3$	$a_{20}+b_3+c_3+d_3$	$a_{21}+b_3+c_3+d_3$

.

Using these same methods, if there are two cached bits with a total message length of 14, then we also have a scheme satisfying $D\le ⌈\overline{D}\left(\tilde{r}\right)·⌈\overline{L}⌉⌉$ using a subset of the queries in Table 7. However, for the case when there is only one cached bit with a total message length of seven, we have no scheme satisfying $D\le ⌈\overline{D}\left(\tilde{r}\right)·⌈\overline{L}⌉⌉$, not with using the methods in this work at least. It is worth noting that for some other mid-range caching ratios with this setting, the scheme from [37] can be used to produce some satisfactory results ($r={\displaystyle \frac{1}{6}}$ for example) but not for the case when $r={\displaystyle \frac{1}{7}}$ in this setting. This is discussed in more detail in [38].

The question remains: why does this pattern break, and why it is difficult to find an alternative query structure? The answer we have come to is that it has not to do with with the value of the r, but with the number number of cached bits $Lr$. More specifically, there may be some additional limitation on how low of a download cost can be achieved with a cache-aided arbitrary message length PIR scheme when $Lr$ is relatively low (or in this case, when $Lr=1$). Investigating such limitations is left to future works.

8. Conclusions

In this work, we introduce the cache-aided private updating problem with unknown prefetching, in which a user’s outdated message is to be privately updated by utilizing a private cache and querying a set of replicated and non-colluding databases that have the up-to-date version. To solve this problem, we develop novel arbitrary message length cache-aided PIR schemes for different caching ratios. These schemes are then combined with syndrome decoding techniques to guarantee privacy and efficiency. Such schemes are optimal when the system parameters enable the construction of a perfect code according to which the syndrome decoding technique is worked out. In other cases, the achievable download cost has been shown to be within at most 2 bits from a derived converse bound.

Outside of the issues discussed in Section 7, another item that could be resolved in this problem is the inflexible nature of the cache in our achievability. Specifically, the fact that for each $i\in \left[K\right]$, we fix $R_i={\mathsf{H}}^T$ during the prefetching phase. Imposing less control over the prefetching phase is one direction to be pursued in the research line of cache-aided private updating.