On the Storage–Communication Trade-Off in Graph-Based X-Secure T-Private Linear Computation

Abstract

The problem of graph-based X-secure T-private linear computation (GXSTPLC) is to allow a user to retrieve a linear combination of K messages from a set of N distributed servers that store the messages in a graph-based fashion, i.e., each message is restricted to be distributed among a subset of servers. T-privacy requires that the coefficients of the linear combination are not revealed to any group of up to T colluding servers, and X-security guarantees that any set of up to X colluding servers learns nothing about the messages. In this paper, we propose an achievability scheme for GXSTPLC that enables a storage–communication trade-off by exploiting non-replicated storage codes. Novel aspects of our achievability scheme include the usage of the idea of cross-subspace alignment null shaper that addresses various challenges posed by the graph-based storage structure. In addition, unlike previous works, our scheme allows a direct transformation into a quantum one to achieve a superdense coding gain by leveraging the idea of N-Sum Box abstraction of quantum “over-the-air” computing.

1. Introduction

Escalating concerns regarding security and privacy in distributed systems motivate the problem of private linear computation (PLC). PLC considers a scenario where K messages are stored (possibly replicated or coded) across N distributed servers. The user aims to retrieve a linear combination of these messages without revealing the coefficients of the linear combination to any group of up to T colluding servers, where T, representing the maximum number of tolerable colluding servers, is referred to as the privacy threshold. Notably, PLC is a non-trivial generalization of private information retrieval (PIR), as PIR corresponds to the special case where the user uses a one-hot coefficient vector to retrieve a single message. Recent advancements in the study of PIR and PLC from an information-theoretic perspective have yielded a series of capacity (i.e., the reciprocal of the minimum possible normalized download cost across N servers) characterizations and novel coding schemes for these problems and their variants [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45].

Existing paradigms like PIR and PLC often assume global data availability, where each message can be stored across all servers, which is cumbersome in real-world applications due to constraints such as geographic blocking, network connectivity, and data security, so that data are not uniformly available at all servers, and data must be secure against storage eavesdroppers. Driven by this problem, a PLC variant known as graph-based X-secure T-private linear computation (GXSTPLC) incorporates two key constraints. First, the non-uniform data availability, or graph-based PLC, where each message is restricted to be stored among a specific subset of servers, referred to as the storage pattern. This pattern can be naturally represented by a hypergraph where servers are nodes and the storage subset for each message forms a hyperedge. Second, X-security of the storage, a standard requirement ensuring that no information about the messages is revealed to any set of up to X colluding servers. While several prior works address graph-based PIR/PLC [35,36,37,38], and the asymptotic (i.e., in the limit as the number of messages K approaches infinity) capacity of GXSTPLC was fully characterized in [38], a subtle observation arises. To the best of our knowledge, the storage codes in related prior graph-based PIR/PLC works are essentially repetition codes (meaning each stored portion of a message is at least as large as the original message). Furthermore, the achievability scheme in [38] may necessitate storage exceeding simple replication, which can be highly storage-inefficient. Our work is motivated by this potential storage inefficiency; i.e., we are interested in the trade-off between the download cost and storage efficiency by leveraging coding techniques in the storage construction. We note that deriving the tight converse bound (i.e., the full capacity characterization) for the storage–download trade-off of GXSTPLC remains a challenging open problem. The focus of this work is to establish the first achievability scheme that enables such a trade-off.

The main result of this work is an achievability scheme for GXSTPLC that allows a trade-off between the download cost and storage cost. Specifically, we first propose an achievability scheme for a closely related problem, namely Asymmetric MDS-GXSTPLC, where security and privacy requirements are non-uniform across the messages; i.e., each message and the corresponding coefficient are specified with individual security and privacy thresholds. In addition, the storage code for each message is an MDS code that results in a reduction in storage cost (by trading off the communication efficiency). Then, based on the achievability scheme for Asymmetric MDS-GXSTPLC, our achievability scheme is finalized by adapting the idea of the augmented system in [38]. The key novelty that distinguishes our scheme from previous state-of-the-art is summarized as follows:

• The idea of exploiting MDS codes for the storage in graph-based PIR/PLC: Ref. [38] achieves a single point (minimum download cost) using replication codes that turn out to be storage-inefficient, while our scheme leverages MDS-coded storage to allow a storage–download trade-off. To the best of our knowledge, this is the first scheme to incorporate MDS codes in graph-based PIR/PLC.
• The technique used to handle the challenges introduced by the graph-based storage structure: Our work introduces a novel technique centered around the idea of a cross-subspace alignment (CSA) null shaper introduced in [27] to address the challenges introduced by the graph-based storage structure. The CSA null shaper was originally designed for storage-consistent private updates with unavailable servers. However, in this work, this idea is adapted to ensure that the overall storage conforms to valid CSA codewords under the graph-based storage constraints. This distinguishes our scheme from the scheme in [38], where the PLC under graph-based storage structure is enabled by a combination of techniques including CSA codes, dual Generalized Reed–Solomon (GRS) codes, and a Vandermonde decomposition of Cauchy matrices. Intuitively, CSA codes can be viewed as evaluation codes, and the CSA null shaper carefully places zeros at certain evaluation points, which correspond precisely to the servers prohibited by the graph-based storage pattern from storing codewords of a particular message. Consequently, the codewords for these servers are explicitly set to zero, requiring no storage at all, and the overall codewords (including zeros) remain valid CSA codewords. It should be noted that the idea of placing zeros in the storage construction for graph-based PIR/PLC may be profound, as the storage code of many known PIR/PLC schemes can be viewed as evaluation codes (e.g., polynomial codes based PIR/PLC in [12,24,46,47,48,49]). This idea may transform known PIR/PLC schemes into graph-based ones.
• Reduced decoding complexity and quantum adaptability: Unlike schemes based on dual GRS codes properties, where a pre-processing step of interference cancellation during decoding is generally necessary, in our scheme, the user can recover the desired linear combination by merely solving linear systems defined by Cauchy–Vandermonde matrices, hence the reduction in decoding complexity. Moreover, our scheme is compatible with the N-Sum Box abstraction of quantum “over-the-air” computing [44,50], enabling a direct transformation of our scheme into a quantum one to achieve the superdense coding gain.

Notations: ${\mathbb{Z}}_{>0}$ denotes the set of positive integers. The set of rational numbers is denoted as $\mathbb{Q}$, while ${\mathbb{Q}}_{\ge 0}$ denotes the set of non-negative rational numbers. For any two positive integers $M<N$, $[M:N]$ denotes the set $\{M,M+1,\cdots ,N\}$, and $\left[N\right]$ denotes $[1:N]$. For any set of random variables $X_1,X_2,\cdots ,X_N$ indexed by $\left[N\right]$, and an index set $\mathcal{I}\subset \left[N\right]$, $X_{\mathcal{I}}$ denotes $\{X_i\mid i\in \mathcal{I}\}$. For any $x\in \mathbb{R}$, ${\left(x\right)}^{+}$ denotes $max(x,0)$.

2. Problem Statement

Let us consider a private linear computation problem with N servers, denoted as Server $n,n\in \left[N\right]$, and K messages. As depicted in Figure 1, the messages are partitioned into M disjoint sets, i.e., $\mathcal{W}={\bigcup }_{m\in \left[M\right]}{\mathcal{W}}_m,{\mathcal{W}}_i\cap {\mathcal{W}}_j=\varnothing ,\forall i\ne j,i,j\in \left[M\right]$, where ${\mathcal{W}}_m$ is the $m^{th}$ message set and $\mathcal{W}$ is the set of all messages. For each $m\in \left[M\right]$, we define ${\mathcal{W}}_m=\{{\mathbf{W}}_{m,1},{\mathbf{W}}_{m,2},\cdots ,{\mathbf{W}}_{m,K_m}\}$; i.e., the message set ${\mathcal{W}}_m$ consists of $K_m$ messages, and each of the messages comprises L i.i.d. symbols from a finite field ${\mathbb{F}}_q$. Formally, for all $m\in \left[m\right],k\in \left[K_m\right]$, we have ${\mathbf{W}}_{m,k}={[W_{m,k}\left(1\right),W_{m,k}\left(2\right),\cdots ,W_{m,k}\left(L\right)]}^{\top }$, and

$$\begin{array}{c}\hfill H\left({\left({\mathbf{W}}_{m,k}\right)}_{m\in \left[M\right],k\in \left[K_m\right]}\right)=KL,\end{array}$$

(1)

in q-ary units. Due to non-uniform data availability, each message set is only allowed to be stored among a subset of the N servers. To characterize this graph-based storage fashion, let us define

$$\begin{array}{cc}\hfill \mathcal{R}& =\{{\mathcal{R}}_1,{\mathcal{R}}_2,\cdots ,{\mathcal{R}}_M\},\hfill \end{array}$$

(2)

$$\begin{array}{cc}\hfill {\mathcal{R}}_m& =\{{\mathcal{R}}_m\left(1\right),{\mathcal{R}}_m\left(2\right),\cdots ,{\mathcal{R}}_m\left({\rho }_m\right)\}\subset \left[N\right],\hfill \end{array}$$

(3)

where ${\mathcal{R}}_m$ corresponds to the $m^{th}$ message set ${\mathcal{W}}_m$, and for all $m\in \left[M\right]$, ${\mathcal{R}}_m$ represents a subset of servers; i.e., the message set ${\mathcal{W}}_m$ is allowed to be stored among Server $n,n\in {\mathcal{R}}_m$. The collection of server subsets $\mathcal{R}$ is referred to as the storage pattern. Note that it is occasionally more convenient to consider the dual representation of the storage pattern,

$$\begin{array}{cc}\hfill \mathcal{M}& =\{{\mathcal{M}}_1,{\mathcal{M}}_2,\cdots ,{\mathcal{M}}_N\},\hfill \end{array}$$

(4)

$$\begin{array}{cc}\hfill {\mathcal{M}}_n& =\{m\in \left[M\right]\mid {\mathcal{R}}_m\ni n\},\hfill \end{array}$$

(5)

i.e., for all $n\in \left[N\right]$, Server n is allowed to store a securely coded codeword of the messages ${\mathcal{W}}_m,m\in {\mathcal{M}}_n$. In other words, denoting the codeword of the message ${\mathbf{W}}_{m,k},m\in \left[M\right],$$k\in \left[K_m\right]$ stored at Server $n,n\in {\mathcal{R}}_m$ as ${\tilde{W}}_{m,k}^{\left(n\right)}$, the storage at server $n,n\in \left[N\right]$, denoted as ${\mathcal{S}}_n$, is, thus,

$$\begin{array}{c}\hfill {\mathcal{S}}_n=\{{\tilde{W}}_{m,k}^{\left(n\right)}\mid m\in {\mathcal{M}}_n,k\in \left[K_m\right]\}.\end{array}$$

(6)

Moreover, the X-secure storage constraint guarantees that the collusion of any up to X servers discloses nothing about the message, i.e.,

$$\begin{array}{c}\hfill I({\mathcal{S}}_{\mathcal{X}};\mathcal{W})=0,\forall \mathcal{X}\subset \left[N\right],\left|\mathcal{X}\right|=X.\end{array}$$

(7)

Let us further elaborate on the above notations via the following example. Assume that we have $M=4$ message sets ${\mathcal{W}}_1,{\mathcal{W}}_2,{\mathcal{W}}_3,{\mathcal{W}}_4$ that are stored at $N=7$ servers, as shown in the following table.

Server 1	Server 2	Server 3	Server 4	Server 5	Server 6	Server 7	Server 8
${\mathcal{W}}_2$	${\mathcal{W}}_1$	${\mathcal{W}}_1$	${\mathcal{W}}_2$	${\mathcal{W}}_2$	${\mathcal{W}}_1$	${\mathcal{W}}_1,{\mathcal{W}}_2$	${\mathcal{W}}_1$

For this example, we have

$$\begin{array}{cccccccc}\hfill {\mathcal{R}}_1& =\{2,3,6,7\},\hfill & \hfill {\rho }_1& =4\hfill & \hfill {\mathcal{R}}_2& =\{1,4,5,7,8\},\hfill & \hfill {\rho }_2& =5\hfill \end{array}$$

(8a)

$$\begin{array}{cccccccc}\hfill {\mathcal{M}}_1& =\left\{2\right\},\hfill & \hfill {\mathcal{M}}_2& =\left\{1\right\},\hfill & \hfill {\mathcal{M}}_3& =\left\{1\right\},\hfill & \hfill {\mathcal{M}}_4& =\left\{2\right\},\hfill \end{array}$$

(8b)

$$\begin{array}{cccccccc}\hfill {\mathcal{M}}_5& =\left\{2\right\},\hfill & \hfill {\mathcal{M}}_6& =\left\{1\right\},\hfill & \hfill {\mathcal{M}}_7& =\{1,2\},\hfill & \hfill {\mathcal{M}}_8& =\left\{1\right\}.\hfill \end{array}$$

(8c)

In our private linear computation problem, the user is interested in a linear combination of the K messages of the following form

$$\begin{array}{c}\hfill {\lambda }_{\mathbf{\Lambda }}\left(\mathcal{W}\right)\triangleq \sum _{m\in \left[M\right]}\sum _{k\in \left[K_m\right]}{\lambda }_{m,k}{\mathbf{W}}_{m,k},\end{array}$$

(9)

where $\mathbf{\Lambda }={\left({\lambda }_{m,k}\right)}_{m\in \left[M\right],k\in \left[K_m\right]}$ is the coefficient of the linear combination and ${\lambda }_{m,k,l}\in {\mathbb{F}}_q,m\in \left[M\right],k\in \left[K_m\right],l\in \left[L\right]$ are generated by the user privately, uniformly i.i.d. over the finite field ${\mathbb{F}}_q$. For this purpose, the user generates a total of N queries, ${\mathcal{Q}}_n^{(\mathbf{\Lambda })},n\in \left[N\right]$, where ${\mathcal{Q}}_n^{(\mathbf{\Lambda })}$ is intended for Server n, without prior awareness of messages or server storage

$$\begin{array}{c}\hfill I({\mathcal{S}}_{\left[N\right]};\mathbf{\Lambda },{\mathcal{Q}}_1^{(\mathbf{\Lambda })},\cdots ,{\mathcal{Q}}_n^{(\mathbf{\Lambda })})=0,\end{array}$$

(10)

so that any set of up to T colluding servers learns nothing about the coefficients $\mathbf{\Lambda }$. Formally, we have

$$\begin{array}{c}\hfill I({\mathcal{Q}}_{\mathcal{T}}^{(\mathbf{\Lambda })};\mathbf{\Lambda })=0,\forall \mathcal{T}\subset \left[N\right],\left|\mathcal{T}\right|=T.\end{array}$$

(11)

Once the query ${\mathcal{Q}}_n^{(\mathbf{\Lambda })}$ is available at Server n, $n\in \left[N\right]$, an answer string ${\mathcal{A}}_n^{(\mathbf{\Lambda })}$ is generated as a function of ${\mathcal{Q}}_n^{(\mathbf{\Lambda })}$ and its storage ${\mathcal{S}}_n$, i.e.,

$$\begin{array}{c}\hfill H({\mathcal{A}}_n^{(\mathbf{\Lambda })}\mid {\mathcal{Q}}_n^{(\mathbf{\Lambda })},{\mathcal{S}}_n)=0.\end{array}$$

(12)

A private linear computation scheme is correct if and only if the desired linear combination is resolvable from the collection of downloaded server answers, i.e.,

$$\begin{array}{c}\hfill H({\lambda }_{\mathbf{\Lambda }}\left(\mathcal{W}\right)\mid {\mathcal{A}}_{\left[N\right]}^{(\mathbf{\Lambda })},{\mathcal{Q}}_{\left[N\right]}^{(\mathbf{\Lambda })},\mathbf{\Lambda })=0.\end{array}$$

(13)

To characterize the communication efficiency of a private linear computation scheme per server, we define the normalized total download cost $D_n$ as the expected number of q-ary symbols downloaded from the n-th server, normalized by L, that is, $D_n={\displaystyle \frac{H\left({\mathcal{A}}_n^{(\mathbf{\Lambda })}\right)}{L}}$. In addition, to measure the storage efficiency per server, we define the normalized storage cost for all $n\in \left[N\right]$ as follows:

$$\begin{array}{c}\hfill C_n={\displaystyle \frac{H\left({\mathcal{S}}_n\right)}{KL}}.\end{array}$$

(14)

3. Main Result

The main result of this work is an achievability scheme for the problem of GXSTPLC that allows a trade-off between the download cost and storage cost, formally presented in the following theorem.

Theorem 1.

Let $\mathit{\eta }=({\eta }_1,{\eta }_2,\cdots ,{\eta }_M)\in {\mathbb{Q}}^M$ be a vector of rational numbers such that for all $m\in \left[M\right],{\eta }_m\ge 1$, and each ${\eta }_m=p_m^{\prime }/q_m^{\prime }$, with $p_m^{\prime },q_m^{\prime }$ being co-prime. Consider a target vector of per-server normalized download costs $(D_1,D_2,\cdots ,D_N)\in {\mathbb{Q}}_{\ge 0}^N$, where each $D_n=p_n/q_n$, with $p_n,q_n$ being co-prime. If the vector $(D_1,D_2,\cdots ,D_N)$ lies within the achievable region $\mathcal{D}$, defined as

$$\begin{array}{c}\hfill \mathcal{D}(\mathit{\eta })\triangleq \left\{(D_1,\cdots ,D_N)\in {\mathbb{Q}}_{\ge 0}^N\left|\begin{array}{c}\forall m\in \left[M\right],\forall {\mathcal{R}}_m^{\prime }\subseteq {\mathcal{R}}_m\mathrm{with}\hfill \\ |{\mathcal{R}}_m^{\prime }|=|{\mathcal{R}}_m|-X-T,\sum _{n\in {\mathcal{R}}_m^{\prime }}{D}_n\ge {\eta }_m\hfill \end{array}\right.\right\},\end{array}$$

(15)

then this vector of download costs is achievable by the proposed GXSTPLC scheme. The corresponding normalized storage cost $C_n,n\in \left[N\right]$ is given by

$$\begin{array}{c}\hfill C_n={\displaystyle \frac{1}{K}}\sum _{m\in {\mathcal{M}}_n}min({\tau }_n,{\gamma }_m){\displaystyle \frac{K_m}{q_0({\eta }_m-1)+1}},\end{array}$$

(16)

where the integers ${\tau }_n$ are defined as ${\tau }_n=q_0{D}_n$ with $q_0=lcm(q_1,q_2,\cdots ,q_N,q_1^{\prime },q_2^{\prime },\cdots ,q_M^{\prime })$, and for each $m\in \left[M\right]$, ${\gamma }_m$ is the $(X+T)$-th largest value in the multiset $\{{\tau }_n\mid n\in {\mathcal{R}}_m\}$ when its elements are sorted in non-increasing order.

Remark 1.

It is remarkable that by setting ${\eta }_m=1$ for all $m\in \left[M\right]$, our result reduces to that of [38], which is capacity-achievable; i.e., it achieves the minimum possible normalized total download cost $D={\sum }_{n\in \left[N\right]}{D}_n$ via the optimal configuration of $D_n$s. It is also worth mentioning that by setting ${\eta }_m=1$ for all $m\in \left[M\right]$, the closure of our achievable region $\mathcal{D}\left(\mathbf{1}\right)$ in the real space ${\mathbb{R}}^N$ exactly matches the converse region established in [38] (Theorem 1).

The Storage–Communication Trade-Off in the Proposed GXSTPLC Scheme

In this section, we investigate the fundamental trade-off between the normalized storage cost $C_n$ and the normalized download cost $D_n$ of our proposed GXSTPLC scheme. To facilitate this analysis, we can bound the expression for $C_n$ as follows.

$$\begin{array}{cc}\hfill C_n& ={\displaystyle \frac{1}{K}}\sum _{m\in {\mathcal{M}}_n}min({\tau }_n,{\gamma }_m){\displaystyle \frac{K_m}{q_0({\eta }_m-1)+1}}\hfill \end{array}$$

(17)

$$\begin{array}{cc}\hfill & \le {\displaystyle \frac{1}{K}}\sum _{m\in {\mathcal{M}}_n}{\tau }_n{\displaystyle \frac{K_m}{q_0({\eta }_m-1+\frac{1}{q_0})}}\hfill \end{array}$$

(18)

$$\begin{array}{cc}\hfill & ={\displaystyle \frac{D_n}{K}}\sum _{m\in {\mathcal{M}}_n}{\displaystyle \frac{K_m}{{\eta }_m-1+\frac{1}{q_0}}},\hfill \end{array}$$

(19)

where (18) holds by noting that $min({\tau }_n,{\gamma }_m)\le {\tau }_n$. To further simplify our analysis, let us consider a symmetric scenario where $K_m=K/M$ for all $m\in \left[M\right]$. In addition, by definition, $q_0$ tends to be large, so the bound can then be approximated as

$$\begin{array}{c}\hfill C_n⪅{\displaystyle \frac{D_n}{M}}\sum _{m\in {\mathcal{M}}_n}{\displaystyle \frac{1}{{\eta }_m-1}}.\end{array}$$

(20)

This approximation explicitly shows that for operating points within the achievable region $\mathcal{D}\left(\eta \right)$, for a given server n, its storage cost $C_n$ is directly proportional to its own download cost $D_n$ and inversely related to the term ${\eta }_m-1$ for each message set m it stores. This relationship suggests that one potential strategy to reduce $C_n$ is to increase the corresponding values of ${\eta }_m$ while keeping $D_n$ fixed. However, according to the definition of the achievable region $\mathcal{D}(\mathit{\eta })$, increasing any ${\eta }_m$ tightens the feasibility constraint associated with the message set m, requiring a larger sum of download costs from the relevant servers. To satisfy this stricter condition, the download costs of other servers (i.e., those in ${\mathcal{R}}_m$) must collectively increase. This increase in another server’s download cost, namely $D_{n^{\prime }}$, is likely to elevate its own storage cost $C_{n^{\prime }}$. Therefore, an attempt to locally optimize storage cost on one server can inadvertently shift the burden, increasing both download and storage costs elsewhere in the system.

On the other hand, it is also of interest to explore the trade-off between the total normalized storage cost, denoted by $C={\sum }_{n=1}^N{C}_n$, and the total normalized download cost, $D={\sum }_{n=1}^N{D}_n$. To construct the optimal trade-off curve of D versus C for a given total download cost $D_{\mathrm{target}}$, our goal is to find the minimum possible total storage cost $C_{min}$. This is formulated as an optimization problem:

$$\begin{array}{cc}\hfill C_{min}\left(D_{\mathrm{target}}\right)=\underset{\eta ,{\left(D_n\right)}_{n\in \left[N\right]}}{min}& \sum _{n=1}^N{C}_n\hfill \end{array}$$

(21)

$$\begin{array}{cc}\hfill \mathrm{s}.\mathrm{t}.& \sum _{n=1}^N{D}_n\le D_{\mathrm{target}},\hfill \end{array}$$

(22)

$$\begin{array}{cc}\hfill & (D_1,D_2,\cdots ,D_N)\in \mathcal{D}(\mathit{\eta }),\hfill \end{array}$$

(23)

$$\begin{array}{cc}\hfill & {\eta }_m\ge 1,\forall m\in \left[M\right].\hfill \end{array}$$

(24)

By solving this optimization problem for a range of $D_{\mathrm{target}}$ values, we obtain a set of optimal operating points $(D_{\mathrm{target}},C_{min}\left(D_{\mathrm{target}}\right))$. Figure 2 presents such a storage–communication trade-off curve for a specific setting. It is crucial to note that this figure is plotted by numerically solving the optimization problem (21)–(24) via an exhaustive search-based strategy. In particular, for the specific system setting, we first discretize and sweep over a range of plausible values for the parameters ${\eta }_1$ and ${\eta }_2$ (subject to ${\eta }_1,{\eta }_2\ge 1$). Then, for each candidate pair $({\eta }_1,{\eta }_2)$, we find achievable download cost vector $(D_1,D_2,\cdots ,D_N)$ that minimizes the total download cost $D_{\mathrm{target}}={\sum }_n{D}_n$ for the specific $\mathit{\eta }$. For each feasible $({\eta }_1,{\eta }_2)$ and its associated optimal download vector $(D_1,D_2,\cdots ,D_N)$, the corresponding total storage cost $C={\sum }_{n=1}^N{C}_n$ is calculated. This results in a point $(D_{\mathrm{target}},C)$ on the D-C plane for the given $\mathit{\eta }$. The set of all points $(D_{\mathrm{target}},C)$ obtained from all feasible $({\eta }_1,{\eta }_2)$ pairs forms a set of achievable $(D_{\mathrm{target}},C)$ points, and the trade-off curve is obtained by finding its lower convex hull. Although this numerical method does not guarantee the exploration of the entire feasible region, the resulting curve provides a conservative approximation of the optimal solution. In other words, the true optimal trade-off curve can only lie on or to the lower left of the curve presented in the figure, which serves as a bound for the $(D_{\mathrm{target}},C_{min}\left(D_{\mathrm{target}}\right))$ curve.

4. An Achievability Scheme for Asymmetric Setting

As discussed in the introduction, our achievability scheme construction begins with a scheme for Asymmetric MDS-GXSTPLC. Specifically, in this asymmetric variant, the security and privacy constraints are parameterized by two tuples $\mathbf{X}=(X_1,X_2,\cdots ,X_M)$ and $\mathbf{T}=(T_1,T_2,\cdots ,T_M)$, and for each message set $m\in \left[M\right]$, the corresponding constraints are $X_m$-security and $T_m$-privacy, i.e.,

$$\begin{array}{cccc}\hfill & I({\mathcal{S}}_{\mathcal{X}};{\mathcal{W}}_m)=0,\hfill & \hfill & \forall \mathcal{X}\subset \left[N\right],\left|\mathcal{X}\right|=X_m,\hfill \end{array}$$

(25)

$$\begin{array}{cccc}\hfill & I({\mathcal{Q}}_{\mathcal{T}}^{(\mathbf{\Lambda })};{\left({\lambda }_{m,k}\right)}_{k\in \left[K_m\right]})=0,\hfill & \hfill & \forall \mathcal{T}\subset \left[N\right],\left|\mathcal{T}\right|=T_m.\hfill \end{array}$$

(26)

Moreover, for each message set $m\in \left[M\right]$, the codewords distributed among the servers $n\in {\mathcal{R}}_m$ must form an $(N,X_m+{\eta }_m)$-MDS code; i.e., the messages ${\mathcal{W}}_m$ must be recoverable from any $X_m+{\eta }_m$ of its codewords, and the size of any of the codeword is at most $L/{\eta }_m$ in q-ary units, where ${\eta }_m\in {\mathbb{Z}}_{>0}$ for all $m\in \left[M\right]$. In particular, we show that the following (uniform) normalized download cost is achievable for Asymmetric MDS-GXSTPLC for all $n\in \left[N\right]$

$$\begin{array}{c}\hfill D_n={\displaystyle \frac{1}{{\left({min}_{m\in \left[M\right]}{\rho }_m-X_m-T_m-{\eta }_m+1\right)}^{+}}}.\end{array}$$

(27)

Once the achievability scheme for the asymmetric setting is established, we then employ the idea of the augmented system adapted from [38] to show that the normalized download cost in Theorem 1 is achievable. The remainder of this section is devoted to the presentation of the achievability scheme for the problem of Asymmetric MDS-GXSTPLC.

4.1. Preliminaries

Recall that the security and privacy level are parameterized by two tuples $\mathbf{X}=(X_1,X_2,\cdots ,X_M)$ and $\mathbf{T}=(T_1,T_2,\cdots ,T_M)$. Also, the MDS code constraint is parameterized by a set of M positive integers ${\eta }_1,{\eta }_2,\cdots ,{\eta }_M$. Moreover, let us assume that for all $m\in \left[M\right]$, we have ${\rho }_m>X_m+T_m+{\eta }_m-1$; otherwise, our scheme is infeasible. Let us define $\mu ={min}_{m\in \left[M\right]}{\rho }_m-X_m-T_m-{\eta }_m+1$, and set $L=\mathrm{lcm}(\mu ,{\eta }_1,{\eta }_2,\cdots ,{\eta }_M)$; i.e., each of the K messages consists of L i.i.d. symbols from the finite field ${\mathbb{F}}_q$. Recall that setting $L=\mathrm{lcm}(\mu ,{\eta }_1,{\eta }_2,\cdots ,{\eta }_M)$ allows us to define a positive integer $J_m=L/{\eta }_m$ as we must have ${\eta }_m\mid L$. Now for all $m\in \left[M\right]$, let us define a mapping ${\varphi }_m:\left[J_m\right]\times \left[{\eta }_m\right]\to \left[L\right]$ as ${\varphi }_m(\mathit{\ell },\kappa )=\mathit{\ell }+(\kappa -1)J_m$, i.e., the column-major order reshaping of $\left[L\right]$. It is obvious that ${\varphi }_m$ is invertible, denoted as ${\varphi }_m^{-1}$. Note that the mapping ${\varphi }_m$ allows us to reshape message vectors ${\left({\mathbf{W}}_{m,k}\right)}_{k\in \left[K_m\right]}$ into $J_m\times {\eta }_m$ matrices for all $m\in \left[M\right]$, where $J_m=L/{\eta }_m$. In other words, for all $m\in \left[M\right],k\in \left[K_m\right],\mathit{\ell }\in \left[J_m\right],\kappa \in \left[{\eta }_m\right]$, we define $W_{m,k}(\mathit{\ell },\kappa )=W_{m,k}\left({\varphi }_m(\mathit{\ell },\kappa )\right)$. Also, we need a total of $N+L$ distinct elements from ${\mathbb{F}}_q$, denoted as ${\alpha }_1,{\alpha }_2,\cdots ,{\alpha }_N,f_1,f_2,\cdots ,f_L$. The existence of such distinct elements is guaranteed by selecting a sufficiently large field $q\ge N+L$. For all $m\in \left[M\right],\mathit{\ell }\in \left[J_m\right],\kappa \in \left[{\eta }_m\right]$, let us define $f_{\mathit{\ell },\kappa }^{\left(m\right)}=f_{{\varphi }_m(\mathit{\ell },\kappa )}$. Finally, for all $m\in \left[M\right],\mathit{\ell }\in \left[J_m\right],\kappa \in \left[{\eta }_m\right]$, let us define ${\mathbf{W}}_{m,\mathit{\ell },\kappa }={[W_{m,1}(\mathit{\ell },\kappa ),W_{m,2}(\mathit{\ell },\kappa ),\cdots ,W_{m,K_m}(\mathit{\ell },\kappa )]}^{\top }$ and for all $m\in \left[M\right]$, define ${\lambda }_m={[{\lambda }_{m,1},{\lambda }_{m,2},\cdots ,{\lambda }_{m,K_m}]}^{\top }$. Clearly, the desired linear combination can be equivalently written in the following form

$$\begin{array}{c}\hfill {\lambda }_{\mathbf{\Lambda }}\left(\mathcal{W}\right)={\left(\sum _{m\in \left[M\right]}{\mathbf{W}}_{m,\mathit{\ell },\kappa }^{\top }{\mathit{\lambda }}_m\right)}_{\mathit{\ell }\in \left[J_m\right],\kappa \in \left[{\eta }_m\right]}.\end{array}$$

(28)

4.2. Construction of the Storage

For all $m\in \left[M\right]$, let us define the following null-shaper polynomial in $\alpha$

$$\begin{array}{c}\hfill N_m\left(\alpha \right)=\mathbf{\prod }_{n\in \left[N\right]\setminus {\mathcal{R}}_m}(\alpha -{\alpha }_n),\end{array}$$

(29)

and for all $m\in \left[M\right],\mathit{\ell }\in \left[J_m\right]$, let us define the following (vector-valued) rational function in $\alpha$

$$\begin{array}{c}\hfill {\tilde{\mathbf{W}}}_{m,\mathit{\ell }}\left(\alpha \right)=N_m\left(\alpha \right)\left(\sum _{\kappa \in \left[{\eta }_m\right]}{\displaystyle \frac{N_m{\left(f_{\mathit{\ell },\kappa }^{\left(m\right)}\right)}^{-1}}{\alpha -f_{\mathit{\ell },\kappa }^{\left(m\right)}}}{\mathbf{W}}_{m,\mathit{\ell },\kappa }+\sum _{x\in \left[X_m\right]}{\alpha }^{x-1}{\mathbf{Z}}_{m,\mathit{\ell },x}\right)\end{array}$$

(30)

where for all $m\in \left[M\right],\mathit{\ell }\in \left[J_m\right],x\in \left[X_m\right]$, ${\mathbf{Z}}_{m,\mathit{\ell },x}$ are uniformly i.i.d. column vectors from ${\mathbb{F}}_q^{K_m}$, independent of the messages. Note that by the definition of $N\left(\alpha \right)$, for all $m\in \left[M\right],n\in \left[N\right]\setminus {\mathcal{R}}_m$, we have ${\tilde{\mathbf{W}}}_{m,\mathit{\ell }}\left({\alpha }_n\right)=\mathbf{0}$, i.e., the rational function ${\tilde{\mathbf{W}}}_{m,\mathit{\ell }}\left(\alpha \right)$, evaluated at the points corresponding to the servers that are prohibited from storing codewords of the $m^{th}$ message set, is zero. Moreover, by partial fraction decomposition, we can also write

$$\begin{array}{cc}\hfill {\tilde{\mathbf{W}}}_{m,\mathit{\ell }}\left(\alpha \right)=& \sum _{\kappa \in \left[{\eta }_m\right]}{\displaystyle \frac{1}{\alpha -f_{\mathit{\ell },\kappa }^{\left(m\right)}}}{\mathbf{W}}_{m,\mathit{\ell },\kappa }+\sum _{i\in [X_m+N-{\rho }_m]}{\alpha }^{i-1}{\mathbf{Y}}_{m,\mathit{\ell },i},\hfill \end{array}$$

(31)

where for all $m\in \left[M\right],\mathit{\ell }\in \left[J_m\right]$, ${\left({\mathbf{Y}}_{m,\mathit{\ell },i}\right)}_{i\in [X_m+N-{\rho }_m]}$ are various linear combinations of ${\left({\mathbf{W}}_{m,\mathit{\ell },\kappa }\right)}_{\kappa \in \left[{\eta }_m\right]}$ and ${\left({\mathbf{Z}}_{m,\mathit{\ell },x}\right)}_{x\in \left[X_m\right]}$. Now, for all $n\in \left[N\right]$, the storage at Server n is constructed as follows

$$\begin{array}{c}\hfill {\mathcal{S}}_n=\left\{{\tilde{\mathbf{W}}}_{m,\mathit{\ell }}\left({\alpha }_n\right)\mid m\in \left[M\right],\mathit{\ell }\in \left[J_m\right]\right\}.\end{array}$$

(32)

Again, while evaluating the rational function ${\tilde{\mathbf{W}}}_{m,\mathit{\ell }}\left(\alpha \right)$ for all ${\alpha }_n,n\in \left[N\right]$ might seem to violate the graph-based storage pattern, this paradox is resolved because our construction guarantees that for each message set $m\in \left[M\right]$, the evaluations for servers that refrain from storing any codeword of that message set are explicitly set to zero; hence, no storage is necessary. Moreover, for all $m\in \left[M\right],k\in \left[K_m\right]$, the size of the codeword of ${\mathbf{W}}_{m,k}$ for Server $n,n\in {\mathcal{R}}_m$ is $J_m=L/{\eta }_m$. And for all $m\in \left[M\right],\mathit{\ell }\in \left[J_m\right]$ and $\mathcal{K}\subset {\mathcal{R}}_m$ such that $\left|\mathcal{K}\right|={\eta }_m+X_m$, given ${\left({\tilde{\mathbf{W}}}_{m,\mathit{\ell }}\left({\alpha }_n\right)\right)}_{n\in \mathcal{K}}$, the message symbols ${\left({\mathbf{W}}_{m,\mathit{\ell },\kappa }\right)}_{\kappa \in \left[{\eta }_m\right]}$ are recoverable. This is because for all $n\in {\mathcal{R}}_m$, we have $N\left({\alpha }_m\right)\ne 0$, so from ${\left(N_m{\left({\alpha }_m\right)}^{-1}{\tilde{\mathbf{W}}}_{m,\mathit{\ell }}\left({\alpha }_n\right)\right)}_{n\in \mathcal{K}}$, ${\left({\mathbf{W}}_{m,\mathit{\ell },\kappa }\right)}_{\kappa \in \left[{\eta }_m\right]}$ are recoverable by inverting the following (scaled) Cauchy–Vandermonde matrix

$$\begin{array}{c}\hfill \left[\begin{array}{cccccc}{\displaystyle \frac{N_m{\left(f_{\mathit{\ell },1}^{\left(m\right)}\right)}^{-1}}{{\alpha }_{i_1}-f_{\mathit{\ell },1}^{\left(m\right)}}}& \cdots & {\displaystyle \frac{N_m{\left(f_{\mathit{\ell },{\eta }_m}^{\left(m\right)}\right)}^{-1}}{{\alpha }_{i_1}-f_{\mathit{\ell },{\eta }_m}^{\left(m\right)}}}& 1& \cdots & {\alpha }_{i_1}^{X_m-1}\\ ⋮& ⋮& ⋮& ⋮& ⋮& ⋮\\ {\displaystyle \frac{N_m{\left(f_{\mathit{\ell },1}^{\left(m\right)}\right)}^{-1}}{{\alpha }_{i_{{\eta }_m+X_m}}-f_{\mathit{\ell },1}^{\left(m\right)}}}& \cdots & {\displaystyle \frac{N_m{\left(f_{\mathit{\ell },{\eta }_m}^{\left(m\right)}\right)}^{-1}}{{\alpha }_{i_{{\eta }_m+X_m}}-f_{\mathit{\ell },{\eta }_m}^{\left(m\right)}}}& 1& \cdots & {\alpha }_{i_{{\eta }_m+X_m}}^{X_m-1}\end{array}\right]\end{array}$$

(33)

where $\mathcal{K}=\{i_1,i_2,\cdots ,i_{{\eta }_m+X_m}\}$, and for any distinct ${\alpha }_{i_1},{\alpha }_{i_2},\cdots ,{\alpha }_{i_{{\eta }_m+X_m}},f_{\mathit{\ell },1}^{\left(m\right)},f_{\mathit{\ell },2}^{\left(m\right)},\cdots ,f_{\mathit{\ell },{\eta }_m}^{\left(m\right)}$, the Cauchy–Vandermonde matrix must be invertible. Finally, guaranteed by the $(N,X_m)$-MDS coded uniform noise terms, for all $m\in \left[M\right]$, the storage at any $X_m$ servers is independent of ${\mathcal{W}}_m$, i.e., the storage is $X_m$-secure with respect to the $m^{th}$ message set.

4.3. Construction of the Queries

For all $m\in \left[M\right],\mathit{\ell }\in \left[J_m\right],\kappa \in \left[{\eta }_m\right]$, let us define the following polynomial in $\alpha$

$$\begin{array}{cc}\hfill & {\mathbf{Q}}_{m,\mathit{\ell },\kappa }\left(\alpha \right)=\mathbf{\prod }_{{\kappa }^{\prime }\in \left[{\eta }_m\right]\setminus \left\{\kappa \right\}}{\displaystyle \frac{\alpha -f_{\mathit{\ell },{\kappa }^{\prime }}^{\left(m\right)}}{f_{\mathit{\ell },\kappa }^{\left(m\right)}-f_{\mathit{\ell },{\kappa }^{\prime }}^{\left(m\right)}}}{\mathit{\lambda }}_m+\mathbf{\prod }_{{\kappa }^{\prime }\in \left[{\eta }_m\right]}(\alpha -f_{\mathit{\ell },{\kappa }^{\prime }}^{\left(m\right)})\left(\sum _{t\in \left[T_m\right]}{\alpha }^{t-1}{\mathbf{Z}}_{m,\mathit{\ell },\kappa ,t}^{\prime }\right),\hfill \end{array}$$

(34)

where for all $m\in \left[M\right],\mathit{\ell }\in \left[J_m\right],\kappa \in \left[{\eta }_m\right],t\in \left[T_m\right]$, ${\mathbf{Z}}_{m,\mathit{\ell },\kappa ,t}^{\prime }$ are uniformly i.i.d. column vectors from ${\mathbb{F}}_q^{K_m}$, independent of the coefficients. Now the query for Server n is constructed as

$$\begin{array}{c}\hfill {\mathcal{Q}}_n^{(\mathbf{\Lambda })}=\left\{{\mathbf{Q}}_{m,\mathit{\ell },\kappa }\left({\alpha }_n\right)\mid m\in \left[M\right],\mathit{\ell }\in \left[J_m\right],\kappa \in \left[{\eta }_m\right]\right\}.\end{array}$$

(35)

Similarly, due to the fact that the coefficients are protected by the $(N,T_m)$-MDS coded uniform noise terms, for all $m\in \left[M\right]$, the queries are $T_m$-private with respect to the $m^{th}$ message set.

4.4. Construction of the Answers

Let us define $V=L/\mu$, and note that $\mu \mid L$, V must be a positive integer. Once the query ${\mathcal{Q}}_n^{(\mathbf{\Lambda })}$ is available at Server n, for all $n\in \left[N\right]$, the answer ${\mathcal{A}}_n^{(\mathbf{\Lambda })}$ is constructed as follows

$$\begin{array}{cc}\hfill & {\mathcal{A}}_n^{(\mathbf{\Lambda })}=\left\{\sum _{\begin{array}{c}m\in \left[M\right]\\ (\mathit{\ell },\kappa )\in {\varphi }_m^{-1}[(v-1)\mu +1:v\mu ]\end{array}}{\tilde{\mathbf{W}}}_{m,\mathit{\ell }}{\left({\alpha }_n\right)}^{\top }{\mathbf{Q}}_{m,\mathit{\ell },\kappa }\left({\alpha }_n\right)|v\in \left[V\right]\right\}.\hfill \end{array}$$

(36)

To see the correctness of our scheme, note that the term ${\tilde{\mathbf{W}}}_{m,\mathit{\ell }}{\left({\alpha }_n\right)}^{\top }{\mathbf{Q}}_{m,\mathit{\ell },\kappa }\left({\alpha }_n\right)$ can be viewed as the evaluation of the rational function ${\tilde{\mathbf{W}}}_{m,\mathit{\ell }}{\left(\alpha \right)}^{\top }{\mathbf{Q}}_{m,\mathit{\ell },\kappa }\left(\alpha \right)$ at ${\alpha }_n$, where, exploiting the equivalent form of ${\tilde{\mathbf{W}}}_{m,\mathit{\ell }}\left(\alpha \right)$ in (31), we can write

$$\begin{array}{cc}\hfill & {\tilde{\mathbf{W}}}_{m,\mathit{\ell }}{\left(\alpha \right)}^{\top }{\mathbf{Q}}_{m,\mathit{\ell },\kappa }\left(\alpha \right)={\displaystyle \frac{1}{\alpha -f_{\mathit{\ell },\kappa }^{\left(m\right)}}}{\mathbf{W}}_{m,\mathit{\ell },\kappa }^{\top }{\lambda }_m+\sum _{i\in [X_m+N-{\rho }_m+{\eta }_m+T_m-1]}{\alpha }^{i-1}{\mathbf{Y}}_{m,\mathit{\ell },\kappa ,i}^{\prime }\hfill \end{array}$$

(37)

where for all $m\in \left[M\right],\mathit{\ell }\in \left[J_m\right],\kappa \in \left[{\eta }_m\right],i\in [X_m+N-{\rho }_m+{\eta }_m+T_m-1]$, ${\mathbf{Y}}_{m,\mathit{\ell },\kappa ,i}^{\prime }$ are various linear combinations of ${\left({\mathbf{W}}_{m,\mathit{\ell },\kappa }\right)}_{\kappa \in \left[{\eta }_m\right]}$, ${\left({\mathbf{Y}}_{m,\mathit{\ell },i}\right)}_{i\in [X_m+N-{\rho }_m]}$, ${\mathit{\lambda }}_m$ and ${\left({\mathbf{Z}}_{m,\mathit{\ell },\kappa ,t}^{\prime }\right)}_{t\in \left[T_m\right]}$. Note that by the definition of $\mu$, for all $m\in \left[M\right]$, we have $\mu \le {\rho }_m-X_m-T_m-{\eta }_m+1$. Therefore $X_m+N-{\rho }_m+{\eta }_m+T_m-1=N-({\rho }_m-X_m-T_m-{\eta }_m+1)\le N-\mu$; i.e., we can equivalently write

$$\begin{array}{cc}\hfill & {\tilde{\mathbf{W}}}_{m,\mathit{\ell }}{\left(\alpha \right)}^{\top }{\mathbf{Q}}_{m,\mathit{\ell },\kappa }\left(\alpha \right)={\displaystyle \frac{1}{\alpha -f_{\mathit{\ell },\kappa }^{\left(m\right)}}}{\mathbf{W}}_{m,\mathit{\ell },\kappa }^{\top }{\mathit{\lambda }}_m+\sum _{i\in [N-\mu ]}{\alpha }^{i-1}{\mathbf{Y}}_{m,\mathit{\ell },\kappa ,i}^{\prime }\hfill \end{array}$$

(38)

where for all $N-({\rho }_m-X_m-T_m-{\eta }_m+1)<i\le N-\mu$, we simply set ${\mathbf{Y}}_{m,\mathit{\ell },\kappa ,i}^{\prime }=\mathbf{0}$. Now plug this form into the definition of the answer, and recall that for all $m\in \left[M\right]$, ${\varphi }_m$ represents the column-major order reshaping of $\left[L\right]$, we have

$$\begin{array}{cc}\hfill & \sum _{m\in \left[M\right],(\mathit{\ell },\kappa )\in {\varphi }_m^{-1}[(v-1)\mu +1:v\mu ]}{\tilde{\mathbf{W}}}_{m,\mathit{\ell }}{\left({\alpha }_n\right)}^{\top }{\mathbf{Q}}_{m,\mathit{\ell },\kappa }\left({\alpha }_n\right)\hfill \\ \hfill & =\sum _{l\in \left[\right(v-1)\mu +1:v\mu ]}{\displaystyle \frac{1}{{\alpha }_n-f_l}}\left(\sum _{m\in \left[M\right]}{\mathbf{W}}_{m,\left({\varphi }_m^{-1}\left(l\right)\right)}^{\top }{\mathit{\lambda }}_m\right)+\sum _{i\in [N-\mu ]}{\alpha }_n^{i-1}{\mathbf{Y}}_{v,i}^{″}\hfill \end{array}$$

(39)

where for all $v\in \left[V\right]$,

$$\begin{array}{c}\hfill {\mathbf{Y}}_{v,i}^{″}=\sum _{m\in \left[M\right],(\mathit{\ell },\kappa )\in {\varphi }_m^{-1}[(v-1)\mu +1:v\mu ]}{\mathbf{Y}}_{m,\mathit{\ell },\kappa ,i}^{\prime }.\end{array}$$

(40)

Now it is clear that for all $v\in \left[V\right]$, the desired linear combination symbols

${\left({\sum }_{m\in \left[M\right]}{\mathbf{W}}_{m,\mathit{\ell },\kappa }^{\top }{\mathit{\lambda }}_m\right)}_{(\mathit{\ell },\kappa )\in {\varphi }_m^{-1}[(v-1)\mu +1:v\mu ]}$ can be decoded by inverting the following Cauchy–Vandermonde matrix

$$\begin{array}{c}\hfill \underset{{CSA}_{N,\mu }^q(\mathbf{\alpha },\mathbf{f})}{\underbrace{\left[\begin{array}{cccccc}{\displaystyle \frac{1}{{\alpha }_1-f_{(v-1)\mu +1}}}& \cdots & {\displaystyle \frac{1}{{\alpha }_1-f_{v\mu }}}& 1& \cdots & {\alpha }_1^{N-\mu -1}\\ ⋮& ⋮& ⋮& ⋮& ⋮& ⋮\\ {\displaystyle \frac{1}{{\alpha }_N-f_{(v-1)\mu +1}}}& \cdots & {\displaystyle \frac{1}{{\alpha }_N-f_{v\mu }}}& 1& \cdots & {\alpha }_N^{N-\mu -1}\end{array}\right]}},\end{array}$$

(41)

whose invertibility is ensured by the fact that $f_1,f_2,\cdots ,f_L,{\alpha }_1,{\alpha }_2,\cdots ,{\alpha }_N$ are distinct. Finally, note that for each server n, a total of V symbols are downloaded, and the normalized download cost of the scheme is, thus,

$$\begin{array}{c}\hfill D_n={\displaystyle \frac{V}{L}}={\displaystyle \frac{1}{\mu }}={\displaystyle \frac{1}{{min}_{m\in \left[M\right]}{\rho }_m-X_m-T_m-{\eta }_m+1}},\forall n\in \left[N\right].\end{array}$$

(42)

4.5. Motivating Example

Let us elaborate on our scheme via an illustrative example. Consider an example where we have $N=20$ servers that store $M=2$ message sets according to the following storage pattern.

$$\begin{array}{cccc}\hfill {\mathcal{R}}_1& =\{3,4,5,6,7,8,13,14,15,16,17,18\},\hspace{1em}\hspace{1em}\hspace{1em}\hfill & \hfill {\rho }_1& =12,\hfill \end{array}$$

(43a)

$$\begin{array}{cccc}\hfill {\mathcal{R}}_2& =\{1,2,9,10,11,12,16,17,19,20\},\hspace{1em}\hspace{1em}\hspace{1em}\hfill & \hfill {\rho }_2& =10.\hfill \end{array}$$

(43b)

Conversely, we can also write

$$\begin{array}{c}\hfill \begin{array}{cccc}{\mathcal{M}}_1=\left\{2\right\},& {\mathcal{M}}_2=\left\{2\right\},& {\mathcal{M}}_3=\left\{1\right\},& {\mathcal{M}}_4=\left\{1\right\},\\ {\mathcal{M}}_5=\left\{1\right\},& {\mathcal{M}}_6=\left\{1\right\},& {\mathcal{M}}_7=\left\{1\right\},& {\mathcal{M}}_8=\left\{1\right\},\\ {\mathcal{M}}_9=\left\{2\right\},& {\mathcal{M}}_{10}=\left\{2\right\},& {\mathcal{M}}_{11}=\left\{2\right\},& {\mathcal{M}}_{12}=\left\{2\right\},\\ {\mathcal{M}}_{13}=\left\{1\right\},& {\mathcal{M}}_{14}=\left\{1\right\},& {\mathcal{M}}_{15}=\left\{1\right\},& {\mathcal{M}}_{16}=\left\{1\right\},\\ {\mathcal{M}}_{17}=\left\{1\right\},& {\mathcal{M}}_{18}=\left\{1\right\},& {\mathcal{M}}_{19}=\left\{2\right\},& {\mathcal{M}}_{20}=\left\{2\right\}.\end{array}\end{array}$$

(44)

Moreover, let us set the asymmetric security and privacy thresholds $X_1=3,X_2=2$, $T_1=3,T_2=2$. Also, the MDS code constraint is parameterized by two positive integers ${\eta }_1=2,{\eta }_2=2$. According to the definition of Section 4.1, we have $\mu =5,L=10$. Recall that the K messages are partitioned into two disjoint sets ${\mathcal{W}}_1$ and ${\mathcal{W}}_2$, where

$$\begin{array}{c}\hfill {\mathcal{W}}_1=\{W_{1,1},W_{1,2},\cdots ,W_{1,K_1}\},\end{array}$$

(45a)

$$\begin{array}{c}\hfill {\mathcal{W}}_2=\{W_{2,1},W_{2,2},\cdots ,W_{2,K_2}\}.\end{array}$$

(45b)

Each message comprises $L=10$ symbols from ${\mathbb{F}}_q$, where $q\ge 30$, i.e.,

$$\begin{array}{cc}\hfill & {\mathbf{W}}_{1,k}={\left[W_{1,k}\left(1\right),W_{1,k}\left(2\right),\cdots ,W_{1,k}\left(10\right)\right]}^{\top },k\in \left[K_1\right],\hfill \end{array}$$

(46)

$$\begin{array}{cc}\hfill & {\mathbf{W}}_{2,k}={\left[W_{2,k}\left(1\right),W_{2,k}\left(2\right),\cdots ,W_{2,k}\left(10\right)\right]}^{\top },k\in \left[K_2\right].\hfill \end{array}$$

(47)

Let ${\alpha }_1,{\alpha }_2,\cdots ,{\alpha }_{20},f_{1,1},\cdots ,f_{5,1},f_{1,2},\cdots ,f_{5,2}$ be 30 distinct constants from the finite field ${\mathbb{F}}_q$. According to the definition of Section 4.1, we have $J_1=L/{\eta }_1=5$ and $J_2=L/{\eta }_2=5$. For all $\mathit{\ell }\in \left[5\right],\kappa \in \left[2\right]$, let us define

$$\begin{array}{cc}\hfill & {\mathbf{W}}_{1,\mathit{\ell },\kappa }={[W_{1,1}(\mathit{\ell }+5(\kappa -1)),W_{1,2}(\mathit{\ell }+5(\kappa -1)),\cdots ,W_{1,K_1}(\mathit{\ell }+5(\kappa -1))]}^{\top }\hfill \end{array}$$

(48)

$$\begin{array}{cc}\hfill & {\mathbf{W}}_{2,\mathit{\ell },\kappa }={[W_{2,1}(\mathit{\ell }+5(\kappa -1)),W_{2,2}(\mathit{\ell }+5(\kappa -1)),\cdots ,W_{2,K_2}(\mathit{\ell }+5(\kappa -1))]}^{\top }.\hfill \end{array}$$

(49)

and define

$$\begin{array}{cc}\hfill & {\mathit{\lambda }}_1={[{\lambda }_{1,1},{\lambda }_{1,2},\cdots ,{\lambda }_{1,K_1}]}^{\top },\hfill \end{array}$$

(50)

$$\begin{array}{cc}\hfill & {\mathit{\lambda }}_2={[{\lambda }_{2,1},{\lambda }_{2,2},\cdots ,{\lambda }_{2,K_2}]}^{\top }.\hfill \end{array}$$

(51)

Then the desired linear combination of the two messages can be written in the following form.

$$\begin{array}{c}\hfill {\lambda }_{\mathbf{\Lambda }}\left(\mathcal{W}\right)={\left[\sum _{m\in \left[2\right]}{\mathbf{W}}_{m,1,1}^{\top }{\lambda }_m,\cdots ,\sum _{m\in \left[2\right]}{\mathbf{W}}_{m,5,1}^{\top }{\lambda }_m,\sum _{m\in \left[2\right]}{\mathbf{W}}_{m,1,2}^{\top }{\lambda }_m,\cdots ,\sum _{m\in \left[2\right]}{\mathbf{W}}_{m,5,2}^{\top }{\lambda }_m\right]}^{\top }.\end{array}$$

(52)

For all $m\in \left[2\right]$, let us define the following null-shaper polynomial in $\alpha$,

$$\begin{array}{c}\hfill N_m\left(\alpha \right)=\mathbf{\prod }_{n\in \left[N\right]\setminus {\mathcal{R}}_m}(\alpha -{\alpha }_n).\end{array}$$

(53)

Let us define the following (vector-valued) rational function in $\alpha$,

$$\begin{array}{cc}\hfill {\tilde{\mathbf{W}}}_{1,\mathit{\ell }}\left(\alpha \right)\triangleq & N_1\left(\alpha \right)\left({\displaystyle \frac{N_1{\left(f_{\mathit{\ell },1}\right)}^{-1}}{\alpha -f_{\mathit{\ell },1}}}{\mathbf{W}}_{1,\mathit{\ell },1}+{\displaystyle \frac{N_1{\left(f_{\mathit{\ell },2}\right)}^{-1}}{\alpha -f_{\mathit{\ell },2}}}{\mathbf{W}}_{1,\mathit{\ell },2}+\sum _{x\in \left[3\right]}{\alpha }^{x-1}{\mathbf{Z}}_{1,\mathit{\ell },x}\right)\hfill \end{array}$$

(54)

$$\begin{array}{cc}\hfill =& {\displaystyle \frac{1}{\alpha -f_{\mathit{\ell },1}}}{\mathbf{W}}_{1,\mathit{\ell },1}+{\displaystyle \frac{1}{\alpha -f_{\mathit{\ell },2}}}{\mathbf{W}}_{1,\mathit{\ell },2}+\sum _{i\in \left[11\right]}{\alpha }^{i-1}{\mathbf{Y}}_{1,\mathit{\ell },i}.\hfill \end{array}$$

(55)

Note that since for all $n\in \left[N\right]\setminus {\mathcal{R}}_1$, $N_1\left({\alpha }_n\right)=0$, we have ${\tilde{\mathbf{W}}}_{1,\mathit{\ell }}\left({\alpha }_n\right)=0$ for all $\mathit{\ell }\in \left[5\right]$. In (55), for all $\mathit{\ell }\in \left[5\right]$, ${\left({\mathbf{Y}}_{1,\mathit{\ell },i}\right)}_{i\in \left[11\right]}$ are various linear combinations of ${\left({\mathbf{W}}_{1,\mathit{\ell },\kappa }\right)}_{\kappa \in \left[2\right]}$ and ${\left({\mathbf{Z}}_{1,\mathit{\ell },x}\right)}_{x\in \left[3\right]}$. Since $|{\mathcal{R}}_1|=12$, the degree of the last term (viewed as a polynomial in $\alpha$) in (55) is 10.

Let us define the following (vector-valued) rational function in $\alpha$,

$$\begin{array}{cc}\hfill {\tilde{\mathbf{W}}}_{2,\mathit{\ell }}\left(\alpha \right)& \triangleq N_2\left(\alpha \right)\left({\displaystyle \frac{N_2{\left(f_{\mathit{\ell },1}\right)}^{-1}}{\alpha -f_{\mathit{\ell },1}}}{\mathbf{W}}_{2,\mathit{\ell },1}+{\displaystyle \frac{N_2{\left(f_{\mathit{\ell },2}\right)}^{-1}}{\alpha -f_{\mathit{\ell },2}}}{\mathbf{W}}_{2,\mathit{\ell },2}+\sum _{x\in \left[2\right]}{\alpha }^{x-1}{\mathbf{Z}}_{2,\mathit{\ell },x}\right)\hfill \end{array}$$

(56)

$$\begin{array}{cc}\hfill & ={\displaystyle \frac{1}{\alpha -f_{\mathit{\ell },1}}}{\mathbf{W}}_{2,\mathit{\ell },1}+{\displaystyle \frac{1}{\alpha -f_{\mathit{\ell },2}}}{\mathbf{W}}_{2,\mathit{\ell },2}+\sum _{i\in \left[12\right]}{\alpha }^{i-1}{\mathbf{Y}}_{2,\mathit{\ell },i}\hfill \end{array}$$

(57)

Note that since for all $n\in \left[N\right]\setminus {\mathcal{R}}_2$, $N_2\left({\alpha }_n\right)=0$, we have ${\tilde{\mathbf{W}}}_{2,\mathit{\ell }}\left({\alpha }_n\right)=0$ for all $\mathit{\ell }\in \left[5\right]$. In (57), for all $\mathit{\ell }\in \left[5\right]$, ${\left({\mathbf{Y}}_{2,\mathit{\ell },i}\right)}_{i\in \left[12\right]}$ are various linear combinations of ${\left({\mathbf{W}}_{2,\mathit{\ell },\kappa }\right)}_{\kappa \in \left[2\right]}$ and ${\left({\mathbf{Z}}_{2,\mathit{\ell },x}\right)}_{x\in \left[2\right]}$. Since $|{\mathcal{R}}_2|=10$, the degree of the last term (viewed as a polynomial in $\alpha$) in (57) is 11.

For all $n\in \left[20\right]$, the storage at Server n is $S_n=\{{\tilde{\mathbf{W}}}_{1,\mathit{\ell }}\left({\alpha }_n\right),{\tilde{\mathbf{W}}}_{2,\mathit{\ell }}\left({\alpha }_n\right)\mid \mathit{\ell }\in \left[5\right]\}$. The MDS($20,3$) coded random noise term in (54) guarantees that the messages ${\left({\mathbf{W}}_{1,k}\right)}_{k\in \left[K_1\right]}$ is $X_1=3$-secure. Similarly, the MDS($20,2$) coded random noise term in (56) guarantees that the message ${\left({\mathbf{W}}_{2,k}\right)}_{k\in \left[K_2\right]}$ is $X_2=2$-secure. Thus we have

$$\begin{array}{cccc}\hfill & I({\mathcal{S}}_{\mathcal{X}};{\mathcal{W}}_1)=0,\hfill & \hfill & \forall \mathcal{X}\subset \left[20\right],\left|\mathcal{X}\right|=3,\hfill \end{array}$$

(58a)

$$\begin{array}{cccc}\hfill & I({\mathcal{S}}_{\mathcal{X}};{\mathcal{W}}_2)=0,\hfill & \hfill & \forall \mathcal{X}\subset \left[20\right],\left|\mathcal{X}\right|=2.\hfill \end{array}$$

(58b)

Note that for all $n\in \left[20\right],m\in \left[2\right]\setminus {\mathcal{M}}_n,\mathit{\ell }\in \left[5\right]$, ${\tilde{\mathbf{W}}}_{m,\mathit{\ell }}\left({\alpha }_n\right)=\mathbf{0}$ holds, i.e., if the graph-based storage pattern prohibits a server from storing a certain message, the corresponding codeword is explicitly set to zero.

For all $\mathit{\ell }\in \left[5\right],\kappa \in \left[2\right],t\in \left[3\right]$, let ${\mathbf{Z}}_{1,\mathit{\ell },\kappa ,t}^{\prime }$ be uniformly i.i.d. column vectors from ${\mathbb{F}}_q^{K_1}$, independent of the coefficients. For all $\mathit{\ell }\in \left[5\right]$, let us define the following rational functions in $\alpha$,

$$\begin{array}{cc}\hfill & {\mathbf{Q}}_{1,\mathit{\ell },1}\left(\alpha \right)={\displaystyle \frac{\alpha -f_{\mathit{\ell },2}}{f_{\mathit{\ell },1}-f_{\mathit{\ell },2}}}{\mathit{\lambda }}_1+(\alpha -f_{\mathit{\ell },1})(\alpha -f_{\mathit{\ell },2})\left(\sum _{t\in \left[3\right]}{\alpha }^{t-1}{\mathbf{Z}}_{1,\mathit{\ell },1,t}^{\prime }\right),\hfill \end{array}$$

(59)

$$\begin{array}{cc}\hfill & {\mathbf{Q}}_{1,\mathit{\ell },2}\left(\alpha \right)={\displaystyle \frac{\alpha -f_{\mathit{\ell },1}}{f_{\mathit{\ell },2}-f_{\mathit{\ell },1}}}{\mathit{\lambda }}_1+(\alpha -f_{\mathit{\ell },1})(\alpha -f_{\mathit{\ell },2})\left(\sum _{t\in \left[3\right]}{\alpha }^{t-1}{\mathbf{Z}}_{1,\mathit{\ell },2,t}^{\prime }\right),\hfill \end{array}$$

(60)

For all $\mathit{\ell }\in \left[5\right],\kappa \in \left[2\right],t\in \left[2\right]$, let ${\mathbf{Z}}_{2,\mathit{\ell },\kappa ,t}^{\prime }$ be uniformly i.i.d. column vectors from ${\mathbb{F}}_q^{K_2}$, independent of the coefficients. For all $\mathit{\ell }\in \left[5\right]$, let us define the following rational functions in $\alpha$,

$$\begin{array}{cc}\hfill & {\mathbf{Q}}_{2,\mathit{\ell },1}\left(\alpha \right)={\displaystyle \frac{\alpha -f_{\mathit{\ell },2}}{f_{\mathit{\ell },1}-f_{\mathit{\ell },2}}}{\mathit{\lambda }}_2+(\alpha -f_{\mathit{\ell },1})(\alpha -f_{\mathit{\ell },2})\left(\sum _{t\in \left[2\right]}{\alpha }^{t-1}{\mathbf{Z}}_{2,\mathit{\ell },1,t}^{\prime }\right),\hfill \end{array}$$

(61)

$$\begin{array}{cc}\hfill & {\mathbf{Q}}_{2,\mathit{\ell },2}\left(\alpha \right)={\displaystyle \frac{\alpha -f_{\mathit{\ell },1}}{f_{\mathit{\ell },2}-f_{\mathit{\ell },1}}}{\mathit{\lambda }}_2+(\alpha -f_{\mathit{\ell },1})(\alpha -f_{\mathit{\ell },2})\left(\sum _{t\in \left[2\right]}{\alpha }^{t-1}{\mathbf{Z}}_{2,\mathit{\ell },2,t}^{\prime }\right),\hfill \end{array}$$

(62)

For all $n\in \left[20\right]$, the query sent to Server n is constructed as ${\mathcal{Q}}_n^{(\mathbf{\Lambda })}=\{{\mathbf{Q}}_{1,\mathit{\ell },\kappa }\left({\alpha }_n\right),$${\mathbf{Q}}_{2,\mathit{\ell },\kappa }\left({\alpha }_n\right)\mid \mathit{\ell }\in \left[5\right],\kappa \in \left[2\right]\}$. The MDS($20,3$) coded random noise terms in (59) and (60) guarantee that the coefficient ${\mathit{\lambda }}_1$ is $T_1=3$–private. Similarly, the MDS($20,2$) coded random noise terms in (61) and (62) guarantee that the coefficient ${\mathit{\lambda }}_2$ is $T_2=2$-private. Thus we have

$$\begin{array}{cccc}\hfill & I({\mathcal{Q}}_{\mathcal{T}}^{(\mathbf{\Lambda })};{\left({\lambda }_{1,k}\right)}_{k\in \left[K_1\right]})=0,\hfill & \hfill & \forall \mathcal{T}\subset \left[20\right],\left|\mathcal{T}\right|=3,\hfill \end{array}$$

(63a)

$$\begin{array}{cccc}\hfill & I({\mathcal{Q}}_{\mathcal{T}}^{(\mathbf{\Lambda })};{\left({\lambda }_{2,k}\right)}_{k\in \left[K_2\right]})=0,\hfill & \hfill & \forall \mathcal{T}\subset \left[20\right],\left|\mathcal{T}\right|=2.\hfill \end{array}$$

(63b)

According to the definition of Section 4.1, $V=L/\mu =2$. The answer returned by Server n, $n\in \left[20\right]$ is constructed as follows.

$$\begin{array}{c}\hfill {\mathcal{A}}_n^{(\mathbf{\Lambda })}=\left\{\sum _{m\in \left[2\right],\mathit{\ell }\in \left[5\right]}{\tilde{\mathbf{W}}}_{m,\mathit{\ell }}{\left({\alpha }_n\right)}^{\top }{\mathbf{Q}}_{m,\mathit{\ell },1}\left({\alpha }_n\right),\sum _{m\in \left[2\right],\mathit{\ell }\in \left[5\right]}{\tilde{\mathbf{W}}}_{m,\mathit{\ell }}{\left({\alpha }_n\right)}^{\top }{\mathbf{Q}}_{m,\mathit{\ell },2}\left({\alpha }_n\right),\right\},\end{array}$$

(64)

where

$$\begin{array}{cc}\hfill & \sum _{m\in \left[2\right],\mathit{\ell }\in \left[5\right]}{\tilde{\mathbf{W}}}_{m,\mathit{\ell }}{\left({\alpha }_n\right)}^{\top }{\mathbf{Q}}_{m,\mathit{\ell },1}\left({\alpha }_n\right)\hfill \\ \hfill =& \sum _{\mathit{\ell }\in \left[5\right]}{\left({\displaystyle \frac{1}{{\alpha }_n-f_{\mathit{\ell },1}}}{\mathbf{W}}_{1,\mathit{\ell },1}+{\displaystyle \frac{1}{{\alpha }_n-f_{\mathit{\ell },2}}}{\mathbf{W}}_{1,\mathit{\ell },2}+\sum _{i\in \left[11\right]}{\alpha }_n^{i-1}{\mathbf{Y}}_{1,\mathit{\ell },i}\right)}^{\top }\hfill \\ \hfill & \times \left[{\displaystyle \frac{{\alpha }_n-f_{\mathit{\ell },2}}{f_{\mathit{\ell },1}-f_{\mathit{\ell },2}}}{\mathit{\lambda }}_1+({\alpha }_n-f_{\mathit{\ell },1})({\alpha }_n-f_{\mathit{\ell },2})\left(\sum _{t\in \left[3\right]}{\alpha }_n^{t-1}{\mathbf{Z}}_{1,\mathit{\ell },1,t}^{\prime }\right)\right]\hfill \\ \hfill & +{\left({\displaystyle \frac{1}{{\alpha }_n-f_{\mathit{\ell },1}}}{\mathbf{W}}_{2,\mathit{\ell },1}+{\displaystyle \frac{1}{{\alpha }_n-f_{\mathit{\ell },2}}}{\mathbf{W}}_{2,\mathit{\ell },2}+\sum _{i\in \left[12\right]}{\alpha }_n^{i-1}{\mathbf{Y}}_{2,\mathit{\ell },i}\right)}^{\top }\hfill \end{array}$$

$$\begin{array}{c}\times \left[{\displaystyle \frac{{\alpha }_n-f_{\mathit{\ell },2}}{f_{\mathit{\ell },1}-f_{\mathit{\ell },2}}}{\mathit{\lambda }}_2+({\alpha }_n-f_{\mathit{\ell },1})({\alpha }_n-f_{\mathit{\ell },2})\left(\sum _{t\in \left[2\right]}{\alpha }_n^{t-1}{\mathbf{Z}}_{2,\mathit{\ell },1,t}^{\prime }\right)\right]\hfill \end{array}$$

(65)

$$\begin{array}{cc}\hfill =& \sum _{\mathit{\ell }\in \left[5\right]}\left({\displaystyle \frac{1}{{\alpha }_n-f_{\mathit{\ell },1}}}{\mathbf{W}}_{1,\mathit{\ell },1}^{\top }{\mathit{\lambda }}_1+{\displaystyle \frac{1}{{\alpha }_n-f_{\mathit{\ell },1}}}{\mathbf{W}}_{2,\mathit{\ell },1}^{\top }{\mathit{\lambda }}_2+\sum _{s\in \left[15\right]}{\alpha }_n^{s-1}{\mathbf{Y}}_{\mathit{\ell },1,s}^{\prime }\right)\hfill \end{array}$$

(66)

$$\begin{array}{cc}\hfill =& \sum _{\mathit{\ell }\in \left[5\right]}{\displaystyle \frac{1}{{\alpha }_n-f_{\mathit{\ell },1}}}\left(\sum _{m\in \left[2\right]}{\mathbf{W}}_{m,\mathit{\ell },1}^{\top }{\mathit{\lambda }}_m\right)+\sum _{s\in \left[15\right]}{\alpha }_n^{s-1}{\overline{\mathbf{Y}}}_{1,s}\hfill \end{array}$$

(67)

where for all $\mathit{\ell }\in \left[5\right],s\in \left[15\right]$, ${\mathbf{Y}}_{\mathit{\ell },1,s}^{\prime }$ are various linear combinations of ${\mathbf{W}}_{1,\mathit{\ell },2}^{\top }{\mathit{\lambda }}_1$, ${\left({\mathbf{Y}}_{1,\mathit{\ell },i}^{\top }{\mathit{\lambda }}_1\right)}_{i\in \left[11\right]}$, ${\left({\mathbf{W}}_{1,\mathit{\ell },2}^{\top }{\mathbf{Z}}_{1,\mathit{\ell },1,t}^{\prime }\right)}_{t\in \left[3\right]}$, ${\left({\mathbf{Y}}_{1,\mathit{\ell },i}^{\top }{\mathbf{Z}}_{1,\mathit{\ell },1,t}^{\prime }\right)}_{t\in \left[3\right],i\in \left[12\right]}$, ${\mathbf{W}}_{2,\mathit{\ell },2}^{\top }{\mathit{\lambda }}_2$, ${\left({\mathbf{Y}}_{2,\mathit{\ell },i}^{\top }{\mathit{\lambda }}_2\right)}_{i\in \left[12\right]}$, ${\left({\mathbf{W}}_{2,\mathit{\ell },2}^{\top }{\mathbf{Z}}_{2,\mathit{\ell },1,t}^{\prime }\right)}_{t\in \left[2\right]}$, ${\left({\mathbf{Y}}_{2,\mathit{\ell },i}^{\top }{\mathbf{Z}}_{2,\mathit{\ell },1,t}^{\prime }\right)}_{t\in \left[2\right],i\in \left[12\right]}$, whose exact form is not relevant. Similarly, we have

$$\begin{array}{cc}\hfill & \sum _{m\in \left[2\right],\mathit{\ell }\in \left[5\right]}{\tilde{\mathbf{W}}}_{m,\mathit{\ell }}{\left({\alpha }_n\right)}^{\top }{\mathbf{Q}}_{m,\mathit{\ell },2}\left({\alpha }_n\right)\hfill \\ \hfill =& \sum _{\mathit{\ell }\in \left[5\right]}{\displaystyle \frac{1}{{\alpha }_n-f_{\mathit{\ell },2}}}\left(\sum _{m\in \left[2\right]}{\mathbf{W}}_{m,\mathit{\ell },2}^{\top }{\lambda }_m\right)+\sum _{s\in \left[15\right]}{\alpha }_n^{s-1}{\overline{\mathbf{Y}}}_{2,s}.\hfill \end{array}$$

(68)

Note that for all $n\in \left[20\right],m\in \left[2\right]\setminus {\mathcal{M}}_n,\mathit{\ell }\in \left[5\right]$, ${\tilde{\mathbf{W}}}_{m,\mathit{\ell }}\left({\alpha }_n\right)=0$ always holds; thus, there is no need for the user to upload ${\mathbf{Q}}_{m,\mathit{\ell },1}$ and ${\mathbf{Q}}_{m,\mathit{\ell },2}$.

Now, we can write the symbols contained in ${\left({\mathcal{A}}_n^{(\mathbf{\Lambda })}\right)}_{n\in \left[20\right]}$ in the following matrix form,

$$\begin{array}{cc}\hfill & \left[\begin{array}{c}\sum _{m\in \left[2\right],\mathit{\ell }\in \left[5\right]}{\tilde{\mathbf{W}}}_{m,\mathit{\ell }}{\left({\alpha }_1\right)}^{\top }{\mathbf{Q}}_{m,\mathit{\ell },1}\left({\alpha }_1\right)\\ \sum _{m\in \left[2\right],\mathit{\ell }\in \left[5\right]}{\tilde{\mathbf{W}}}_{m,\mathit{\ell }}{\left({\alpha }_2\right)}^{\top }{\mathbf{Q}}_{m,\mathit{\ell },1}\left({\alpha }_2\right)\\ ⋮\\ \sum _{m\in \left[2\right],\mathit{\ell }\in \left[5\right]}{\tilde{\mathbf{W}}}_{m,\mathit{\ell }}{\left({\alpha }_{20}\right)}^{\top }{\mathbf{Q}}_{m,\mathit{\ell },1}\left({\alpha }_{20}\right)\end{array}\right]\hfill \\ \hfill =& \left[\begin{array}{ccccccc}{\displaystyle \frac{1}{{\alpha }_1-f_{1,1}}}& \cdots & {\displaystyle \frac{1}{{\alpha }_1-f_{5,1}}}& 1& {\alpha }_1& \cdots & {\alpha }_1^{13}\\ {\displaystyle \frac{1}{{\alpha }_2-f_{1,1}}}& \cdots & {\displaystyle \frac{1}{{\alpha }_2-f_{5,1}}}& 1& {\alpha }_2& \cdots & {\alpha }_2^{13}\\ ⋮\\ {\displaystyle \frac{1}{{\alpha }_{20}-f_{1,1}}}& \cdots & {\displaystyle \frac{1}{{\alpha }_{20}-f_{5,1}}}& 1& {\alpha }_{20}& \cdots & {\alpha }_{20}^{13}\end{array}\right]\hfill \\ \hfill & \times {\left[\sum _{m\in \left[2\right]}{\mathbf{W}}_{m,1,1}^{\top }{\mathit{\lambda }}_m\cdots \sum _{m\in \left[2\right]}{\mathbf{W}}_{m,5,1}^{\top }{\mathit{\lambda }}_m{\overline{\mathbf{Y}}}_{1,1}{\overline{\mathbf{Y}}}_{1,2}\cdots {\overline{\mathbf{Y}}}_{1,15}\right]}^{\top }\hfill \end{array}$$

(69)

$$\begin{array}{cc}\hfill & \left[\begin{array}{c}\sum _{m\in \left[2\right],\mathit{\ell }\in \left[5\right]}{\tilde{\mathbf{W}}}_{m,\mathit{\ell }}{\left({\alpha }_1\right)}^{\top }{\mathbf{Q}}_{m,\mathit{\ell },2}\left({\alpha }_1\right)\\ \sum _{m\in \left[2\right],\mathit{\ell }\in \left[5\right]}{\tilde{\mathbf{W}}}_{m,\mathit{\ell }}{\left({\alpha }_2\right)}^{\top }{\mathbf{Q}}_{m,\mathit{\ell },2}\left({\alpha }_2\right)\\ ⋮\\ \sum _{m\in \left[2\right],\mathit{\ell }\in \left[5\right]}{\tilde{\mathbf{W}}}_{m,\mathit{\ell }}{\left({\alpha }_{20}\right)}^{\top }{\mathbf{Q}}_{m,\mathit{\ell },2}\left({\alpha }_{20}\right)\end{array}\right]\hfill \\ \hfill =& \left[\begin{array}{ccccccc}{\displaystyle \frac{1}{{\alpha }_1-f_{1,2}}}& \cdots & {\displaystyle \frac{1}{{\alpha }_1-f_{5,2}}}& 1& {\alpha }_1& \cdots & {\alpha }_1^{13}\\ {\displaystyle \frac{1}{{\alpha }_2-f_{1,2}}}& \cdots & {\displaystyle \frac{1}{{\alpha }_2-f_{5,2}}}& 1& {\alpha }_2& \cdots & {\alpha }_2^{13}\\ ⋮\\ {\displaystyle \frac{1}{{\alpha }_{20}-f_{1,2}}}& \cdots & {\displaystyle \frac{1}{{\alpha }_{20}-f_{5,2}}}& 1& {\alpha }_{20}& \cdots & {\alpha }_{20}^{13}\end{array}\right]\hfill \\ \hfill & \times {\left[\sum _{m\in \left[2\right]}{\mathbf{W}}_{m,\mathit{\ell },2}^{\top }{\mathit{\lambda }}_m\cdots \sum _{m\in \left[2\right]}{\mathbf{W}}_{m,\mathit{\ell },2}^{\top }{\mathit{\lambda }}_m{\overline{\mathbf{Y}}}_{2,1}{\overline{\mathbf{Y}}}_{2,2}\cdots {\overline{\mathbf{Y}}}_{2,15}\right]}^{\top }\hfill \end{array}$$

(70)

Now it is clear that the desired linear combination symbols ${\left[{\sum }_{m\in \left[M\right]}{\mathbf{W}}_{m,\mathit{\ell },\kappa }^{\top }{\mathit{\lambda }}_m\right]}_{\mathit{\ell }\in \left[5\right],\kappa \in \left[2\right]}$ can be decoded by inverting the Cauchy–Vandermonde matrix in (69) and (70), respectively, whose invertibility is ensured by the fact that $f_{1,1},\cdots ,f_{5,1},f_{1,2},\cdots ,f_{5,2},{\alpha }_1,{\alpha }_2,\cdots ,{\alpha }_{20}$ are distinct. Finally, note that for each server n, a total of two symbols are downloaded, and the normalized download cost of the scheme is, thus, $D_n=2/10=1/5$ for all $n\in \left[20\right]$.

Remark 2.

It is of interest to compare the decoding complexity of our scheme with that of [38]. For the decoding procedure, our scheme directly inverts a Cauchy–Vandermonde matrix, which can be conducted in $\mathrm{O}\left(N^3\right)$ via standard methods or $\tilde{\mathrm{O}}\left(N{log}^{2}N\right)$ using fast algorithms. In contrast, the scheme in [38] requires an additional pre-processing step for interference cancellation before a similar inversion, incurring an extra complexity of $O\left(N^2\right)$ above the complexity of inverting a Vandermonde matrix (which is also $\mathrm{O}\left(N^3\right)$ via standard methods or $\tilde{\mathrm{O}}\left(N{log}^{2}N\right)$ using fast algorithms).

5. Proof of Theorem 1

In this section, adapting from the idea of the augmented system in [38], we show that the download cost and the corresponding storage cost as defined in Theorem 1 are achievable. The augmented system is an Asymmetric MDS-GXSTPLC instance with the same message sets that are to be eventually reduced to the original GXSTPLC setting by merging servers. Specifically, the augmented system consists of $\overline{N}={\sum }_{n\in \left[N\right]}{\tau }_n$ servers, denoted as Server $(1,1),(1,2),\cdots ,(1,{\tau }_1),\cdots ,(N,1),(N,2),\cdots ,(N,{\tau }_N)$. The storage pattern $\overline{\mathcal{R}}=\{{\overline{\mathcal{R}}}_1,{\overline{\mathcal{R}}}_2,\cdots ,{\overline{\mathcal{R}}}_M\}$ and security/privacy thresholds for each message set $\overline{\mathbf{X}}=({\overline{X}}_1,{\overline{X}}_2,\cdots ,{\overline{X}}_M)$, $\overline{\mathbf{T}}=({\overline{T}}_1,,{\overline{T}}_2,\cdots ,{\overline{T}}_M)$ are defined as follows.

$$\begin{array}{cc}\hfill {\overline{X}}_m& =X{\gamma }_m,\forall m\in \left[M\right]\hfill \end{array}$$

(71)

$$\begin{array}{cc}\hfill {\overline{T}}_m& =T{\gamma }_m,\forall m\in \left[M\right]\hfill \end{array}$$

(72)

$$\begin{array}{cc}\hfill {\overline{\mathcal{R}}}_m& =\left\{(n,i)\mid n\in {\mathcal{R}}_m,i\in [min({\gamma }_m,{\tau }_n)]\right\}\hfill \end{array}$$

(73)

In addition, for all $m\in \left[M\right]$, we set the MDS coding parameter for the augmented system ${\overline{\eta }}_m=q_0({\eta }_m-1)+1$. Recall that by the definition of $q_0$, ${\overline{\eta }}_m$ must be an integer.

Our GXSTPLC scheme is obtained by merging servers $(n,1),(n,2),\cdots ,(n,{\tau }_n)$ into Server n for all $n\in \left[N\right]$, i.e., assigning the storage, queries, and corresponding answers. Note that this recovers the original storage pattern $\mathcal{R}$ because for all $n\in \left[N\right]$, we have ${\bigcup }_{i\in \left[{\tau }_n\right]}{\overline{\mathcal{M}}}_{(n,i)}\subseteq {\mathcal{M}}_n$, where ${\overline{\mathcal{M}}}_{(n,i)}=\{m\in \left[M\right]\mid {\overline{\mathcal{R}}}_m\ni (n,i)\}$ is the dual representation of $\overline{\mathcal{R}}$. Moreover, due to the fact that for all $m\in \left[M\right]$, $n\in {\mathcal{R}}_m$, the total number of pairs of the form $(n,\ast )$ in ${\overline{\mathcal{R}}}_m$ cannot be greater than ${\overline{X}}_m/X$ and ${\overline{T}}_m/T$, so any X (or T) colluding servers have, at most, ${\overline{X}}_m$ (or ${\overline{T}}_m$) codewords (or queries) of the $m^{th}$ message set. Guaranteed by the $X_m$-security (or $T_m$-privacy), these colluding servers disclose nothing about the messages (or coefficients); i.e., the scheme is X-secure and T-private. Finally, according to Section 4, for the augmented system, the normalized download cost of

$$\begin{array}{c}\hfill D_{n,i}={\displaystyle \frac{1}{{min}_{m\in \left[M\right]}{\overline{\rho }}_m-{\overline{X}}_m-{\overline{T}}_m-{\overline{\eta }}_m+1}}\end{array}$$

(74)

for each server $(n,i),n\in \left[\overline{N}\right],i\in \left[{\tau }_n\right]$ is achievable, where ${\overline{\rho }}_m=\left|{\overline{\mathcal{R}}}_m\right|,m\in \left[M\right]$. According to the definition, for all $m\in \left[M\right]$, ${\overline{\rho }}_m={\overline{X}}_m+{\overline{T}}_m+{\nu }_m$, where ${\nu }_m$ is the summation of the smallest $({\rho }_m-X-T)$ elements in ${\left({\tau }_n\right)}_{n\in {\mathcal{R}}_m}$. Since $(D_1,D_2,\cdots ,D_N)\in \mathcal{D}$, we must have ${\nu }_m\ge q_0{\eta }_m$ for all $m\in \left[M\right]$. Now, since reducing the augmented system to the original setting does not increase the download cost, we can verify that the desired normalized download cost $D_n$ for all Server $n,n\in \left[N\right]$ is achievable by our scheme, as follows.

$$\begin{array}{cc}\hfill \sum _{i\in \left[{\tau }_n\right]}{D}_{n,i}=& {\displaystyle \frac{{\tau }_n}{{min}_{m\in \left[M\right]}{\overline{\rho }}_m-{\overline{X}}_m-{\overline{T}}_m-{\overline{\eta }}_m+1}}\hfill \end{array}$$

(75)

$$\begin{array}{cc}\hfill =& {\displaystyle \frac{{\tau }_n}{{min}_{m\in \left[M\right]}{\nu }_m-{\overline{\eta }}_m+1}}\hfill \end{array}$$

(76)

$$\begin{array}{cc}\hfill \le & {\displaystyle \frac{{\tau }_n}{q_0{\eta }_m-q_0({\eta }_m-1)}}\hfill \end{array}$$

(77)

$$\begin{array}{cc}\hfill =& {\displaystyle \frac{{\tau }_n}{q_0}}\hfill \end{array}$$

(78)

$$\begin{array}{cc}\hfill =& D_n\hfill \end{array}$$

(79)

Moreover, the normalized storage cost of Server n, $C_n$, can be calculated as follows.

$$\begin{array}{cc}\hfill C_n& ={\displaystyle \frac{{\sum }_{i\in \left[{\tau }_n\right],m\in {\overline{\mathcal{M}}}_{n,i}}{K}_m/{\overline{\eta }}_m}{K}}\hfill \end{array}$$

(80)

$$\begin{array}{cc}\hfill & ={\displaystyle \frac{1}{K}}\sum _{i=1}^{{\tau }_n}\sum _{m=1}^M\mathbb{I}((n,i)\in {\overline{\mathcal{R}}}_m){\displaystyle \frac{K_m}{{\overline{\eta }}_m}}\hfill \end{array}$$

(81)

$$\begin{array}{cc}\hfill & ={\displaystyle \frac{1}{K}}\sum _{m\in {\mathcal{M}}_n}min({\tau }_n,{\gamma }_m){\displaystyle \frac{K_m}{q_0({\eta }_m-1)+1}}\hfill \end{array}$$

(82)

Remark 3.

Recall that our achievability scheme is constructed by reducing the augmented system (i.e., an Asymmetric MDS-GXSTPLC instance) to the original setting. Consequently, the decoding procedure for the scheme consists of inverting a series of Cauchy–Vandermonde matrices defined in (41). Indeed, this can be viewed as a series of instances of the CSA scheme, where the desired linear combination symbols are carried by the Cauchy terms, and the interference symbols are aligned within the Vandermonde terms. Then, according to the N-Sum Box abstraction of CSA codes [44,50], in a quantum setting where servers can send entangled qudits via separate quantum channels to the user, representing encoded classical answer symbols through local quantum operations, the superdense coding gain is achievable. In particular, for any total normalized download cost of $D={\sum }_{n\in \left[N\right]}{D}_n>2$ in the classical setting, the corresponding quantum scheme achieves a total download cost of ${\displaystyle \frac{D}{2}}$. For any classical total normalized download cost of $D<2$, the quantum scheme achieves the (obviously) optimal normalized total download cost of $D=1$. Note that this direct application of the CSA structure and the subsequent quantum gain is not directly applicable to schemes exploiting properties of dual GRS codes [26,38], since their decoding requires a pre-processing procedure of interference cancellation, and the resulting structure does not follow that of CSA codes.

Motivating Example

Consider another motivating example where we have $N=8$ servers and K messages, $X=1$ and $T=1$. The K messages are partitioned into two disjoint sets ${\mathcal{W}}_1$ and ${\mathcal{W}}_2$. Let us set $K_1=K_2=K/2$. The storage pattern for this example is as follows.

$$\begin{array}{cc}\hfill {\mathcal{R}}_1& =\{2,3,6,7\},\hfill \end{array}$$

(83a)

$$\begin{array}{cc}\hfill {\mathcal{R}}_2& =\{1,4,5,7,8\}.\hfill \end{array}$$

(83b)

Let us set $\eta =({\eta }_1,{\eta }_2)=(1.2,1.2)$. Moreover, let us also set the target vector of per-server normalized download costs as $(D_1,D_2,\cdots ,D_8)=(2/5,3/5,3/5,2/5,2/5,3/5,3/5,2/5)$. It can be easily verified that the selected vector of per-server normalized download costs lies in the feasible region $\mathcal{D}(\mathit{\eta })$ defined in (15). Following the notations defined in Theorem 1 and above, we have $q_0=5$, $({\tau }_1,{\tau }_2,\cdots ,{\tau }_6)=(2,3,3,2,2,3,3,2)$ and $\overline{N}=20$. The 20 servers in the augmented system are listed as $\left(\right(1,1),(1,2),(2,1),(2,2),(2,3),(3,1),(3,2),(3,3),(4,1),(4,2),(5,1),(5,2),(6,1),(6,2),(6,3),(7,1),(7,2),(7,3),(8,1),(8,2\left)\right)$.

Now we can generate the augmented system. Specifically, for the augmented system, we have ${\overline{X}}_3={\overline{T}}_1=3$, ${\overline{X}}_2={\overline{T}}_2=2$, ${\overline{\eta }}_1={\overline{\eta }}_2=2$, and the storage pattern is shown in

Table 1. Storage pattern of the augmented system in Example 1.

Server	$(1,1)$	$(1,2)$	$(2,1)$	$(2,2)$	$(2,3)$	$(3,1)$	$(3,2)$	$(3,3)$	$(4,1)$
${\overline{\mathcal{M}}}_{(n,i)}$	2	2	1	1	1	1	1	1	2
Server	$(4,2)$	$(5,1)$	$(5,2)$	$(6,1)$	$(6,2)$	$(6,3)$	$(7,1)$	$(7,2)$	$(7,3)$
${\overline{\mathcal{M}}}_{(n,i)}$	2	2	2	1	1	1	1	1	1
							2	2
Server	$(8,1)$	$(8,2)$
${\overline{\mathcal{M}}}_{(n,i)}$	2	2

.

This is exactly the setting presented in the motivating example in Section 4.5 with server mapping $\Psi :\left(\right(1,1),(1,2),(2,1),(2,2),(2,3),(3,1),(3,2),(3,3),(4,1),(4,2),(5,1),(5,2),(6,1),(6,2),(6,3),(7,1),(7,2),(7,3),(8,1),(8,2\left)\right)\to (1,2,\cdots ,20)$, and for each server $(n,i),n\in \left[8\right],i\in \left[{\tau }_n\right]$, the normalized download cost of $D_{n,i}=1/5$ is achievable. After reducing the augmented system to the original setting, we can calculate that the normalized download costs $(D_1,D_2,\cdots ,D_8)=(2/5,3/5,3/5,2/5,2/5,3/5,3/5,2/5)$ are achievable, and the normalized storage costs are $(C_1,C_2,\cdots ,C_8)=(1/2,3/4,3/4,1/2,1/2,3/4,5/4,1/2)$.

Now let us see why the resulting GXSTPLC scheme is $X=1$–secure and $T=1$–private. Note that for all $n\in \{2,3,6\}$,

$$\begin{array}{cc}\hfill I({\mathcal{S}}_n;\mathcal{W})=& I\left(\{{\tilde{\mathbf{W}}}_{1,\mathit{\ell }}\left({\alpha }_{\Psi \left(\right(n,i\left)\right)}\right),{\tilde{\mathbf{W}}}_{2,\mathit{\ell }}\left({\alpha }_{\Psi \left(\right(n,i\left)\right)}\right)\mid i\in \left[3\right],\mathit{\ell }\in \left[5\right]\};{\mathcal{W}}_1,{\mathcal{W}}_2\right)\hfill \end{array}$$

(84)

$$\begin{array}{cc}\hfill =& I\left(\{{\tilde{\mathbf{W}}}_{1,\mathit{\ell }}\left({\alpha }_{\Psi \left(\right(n,i\left)\right)}\right)\mid i\in \left[3\right],\mathit{\ell }\in \left[5\right]\};{\mathcal{W}}_1\right)\hfill \end{array}$$

(85)

$$\begin{array}{cc}\hfill =& 0,\hfill \end{array}$$

(86)

$$\begin{array}{ccc}\hfill I(Q_n^{[\mathbf{\Lambda }]};\mathbf{\Lambda })=& I\left(\right\{{\mathbf{Q}}_{1,\mathit{\ell },\kappa }\left({\alpha }_{\Psi \left(\right(n,i\left)\right)}\right),{\mathbf{Q}}_{2,\mathit{\ell },\kappa }\left({\alpha }_{\Psi \left(\right(n,i\left)\right)}\right)\mid i\in \left[3\right],\mathit{\ell }\in \left[5\right],\kappa \in \left[2\right]\}; \hfill & {\left\{{\lambda }_{m,k}\right\}}_{m\in \left[2\right],k\in \left[K_m\right]})\hfill \end{array}$$

(87)

$$\begin{array}{cc}\hfill =& I\left(\{{\mathbf{Q}}_{1,\mathit{\ell },\kappa }\left({\alpha }_{\Psi \left(\right(n,i\left)\right)}\right)\mid i\in \left[3\right],\mathit{\ell }\in \left[5\right],\kappa \in \left[2\right]\};{\left\{{\lambda }_{1,k}\right\}}_{k\in \left[K_1\right]}\right)\hfill \end{array}$$

(88)

$$\begin{array}{cc}\hfill =& 0,\hfill \end{array}$$

(89)

For all $n\in \{1,4,5,8\}$,

$$\begin{array}{cc}\hfill I({\mathcal{S}}_n;\mathcal{W})=& I\left(\{{\tilde{\mathbf{W}}}_{1,\mathit{\ell }}\left({\alpha }_{\Psi \left(\right(n,i\left)\right)}\right),{\tilde{\mathbf{W}}}_{2,\mathit{\ell }}\left({\alpha }_{\Psi \left(\right(n,i\left)\right)}\right)\mid i\in \left[2\right],\mathit{\ell }\in \left[5\right]\};{\mathcal{W}}_1,{\mathcal{W}}_2\right)\hfill \end{array}$$

(90)

$$\begin{array}{cc}\hfill =& I\left(\{{\tilde{\mathbf{W}}}_{2,\mathit{\ell }}\left({\alpha }_{\Psi \left(\right(n,i\left)\right)}\right)\mid i\in \left[2\right],\mathit{\ell }\in \left[5\right]\};{\mathcal{W}}_2\right)\hfill \end{array}$$

(91)

$$\begin{array}{cc}\hfill =& 0,\hfill \end{array}$$

(92)

$$\begin{array}{ccc}\hfill I(Q_n^{[\mathbf{\Lambda }]};\mathbf{\Lambda })=& I\left(\right\{{\mathbf{Q}}_{1,\mathit{\ell },\kappa }\left({\alpha }_{\Psi \left(\right(n,i\left)\right)}\right),{\mathbf{Q}}_{2,\mathit{\ell },\kappa }\left({\alpha }_{\Psi \left(\right(n,i\left)\right)}\right)\mid i\in \left[2\right],\mathit{\ell }\in \left[5\right],\kappa \in \left[2\right]\}; \hfill & {\left\{{\lambda }_{m,k}\right\}}_{m\in \left[2\right],k\in \left[K_m\right]})\hfill \end{array}$$

(93)

$$\begin{array}{cc}\hfill =& I\left(\{{\mathbf{Q}}_{2,\mathit{\ell },\kappa }\left({\alpha }_{\Psi \left(\right(n,i\left)\right)}\right)\mid i\in \left[2\right],\mathit{\ell }\in \left[5\right],\kappa \in \left[2\right]\};{\left\{{\lambda }_{2,k}\right\}}_{k\in \left[K_2\right]}\right)\hfill \end{array}$$

(94)

$$\begin{array}{cc}\hfill =& 0,\hfill \end{array}$$

(95)

and

$$\begin{array}{cc}\hfill I({\mathcal{S}}_7;\mathcal{W})=& I\left(\{{\tilde{\mathbf{W}}}_{1,\mathit{\ell }}\left({\alpha }_{\Psi \left(\right(7,i\left)\right)}\right),{\tilde{\mathbf{W}}}_{2,\mathit{\ell }}\left({\alpha }_{\Psi \left(\right(7,i\left)\right)}\right)\mid i\in \left[3\right],\mathit{\ell }\in \left[5\right]\};{\mathcal{W}}_1,{\mathcal{W}}_2\right)\hfill \\ \hfill =& I\left(\{{\tilde{\mathbf{W}}}_{1,\mathit{\ell }}\left({\alpha }_{\Psi \left(\right(7,i\left)\right)}\right)\mid i\in \left[3\right],\mathit{\ell }\in \left[5\right]\};{\mathcal{W}}_1\right)\hfill \end{array}$$

(96)

$$\begin{array}{cc}\hfill & +I\left(\{{\tilde{\mathbf{W}}}_{2,\mathit{\ell }}\left({\alpha }_{\Psi \left(\right(7,i\left)\right)}\right)\mid i\in \left[2\right],\mathit{\ell }\in \left[5\right]\};{\mathcal{W}}_2\right)\hfill \end{array}$$

(97)

$$\begin{array}{cc}\hfill =& 0,\hfill \end{array}$$

(98)

$$\begin{array}{ccc}\hfill I(Q_7^{[\mathbf{\Lambda }]};\mathbf{\Lambda })=& I\left(\right\{{\mathbf{Q}}_{1,\mathit{\ell },\kappa }\left({\alpha }_{\Psi \left(\right(7,i\left)\right)}\right),{\mathbf{Q}}_{2,\mathit{\ell },\kappa }\left({\alpha }_{\Psi \left(\right(7,i\left)\right)}\right)\mid i\in \left[3\right],\mathit{\ell }\in \left[5\right],\kappa \in \left[2\right]\}; \hfill & {\left\{{\lambda }_{m,k}\right\}}_{m\in \left[2\right],k\in \left[K_m\right]})\hfill \\ \hfill =& I\left(\{{\mathbf{Q}}_{1,\mathit{\ell },\kappa }\left({\alpha }_{\Psi \left(\right(7,i\left)\right)}\right)\mid i\in \left[3\right],\mathit{\ell }\in \left[5\right],\kappa \in \left[2\right]\};{\left\{{\lambda }_{1,k}\right\}}_{k\in \left[K_1\right]}\right)\hfill \end{array}$$

(99)

$$\begin{array}{cc}\hfill & +I(\{{\mathbf{Q}}_{2,\mathit{\ell },\kappa }\left({\alpha }_{\Psi \left(\right(7,i\left)\right)}\right)\mid i\in \left[2\right],\mathit{\ell }\in \left[5\right],\kappa \in \left[2\right]\};{\left\{{\lambda }_{2,k}\right\}}_{k\in \left[K_2\right]})\hfill \end{array}$$

(100)

$$\begin{array}{cc}\hfill =& 0,\hfill \end{array}$$

(101)

(86), (92), and (98) hold due to (58), (89), (95) and (101) holds due to (63).

6. Conclusions

We explored the problem of GXSTPLC by proposing an achievability scheme that establishes a trade-off between communication cost and storage cost. Notably, our scheme demonstrates the generalization of the CSA null shaper idea beyond its application in storage-consistent private updates. The application of CSA null shaper preserves the standard CSA decoding structure while offering significant advantages, including reduced decoding complexity and a direct framework for quantum transformation. Promising avenues for future research include the complete capacity characterization for the MDS-GXSTPLC problem. Additionally, investigating the potential applicability of the CSA null shaper to other relevant problems is of considerable interest.