Open Access
This article is

- freely available
- re-usable

*Information*
**2019**,
*10*(9),
265;
https://doi.org/10.3390/info10090265

Article

Breaking the MDS-PIR Capacity Barrier via Joint Storage Coding

^{1}

Department of Electrical Engineering, University of North Texas, Denton, TX 76203, USA

^{2}

Department of Electrical and Computer Engineering, Texas A&M University, College Station, TX 77843, USA

^{*}

Authors to whom correspondence should be addressed.

Received: 20 June 2019 / Accepted: 19 August 2019 / Published: 22 August 2019

## Abstract

**:**

The capacity of private information retrieval (PIR) from databases coded using maximum distance separable (MDS) codes was previously characterized by Banawan and Ulukus, where it was assumed that the messages are encoded and stored separably in the databases. This assumption was also usually made in other related works in the literature, and this capacity is usually referred to as the MDS-PIR capacity colloquially. In this work, we considered the question of if and when this capacity barrier can be broken through joint encoding and storing of the messages. Our main results are two classes of novel code constructions, which allow joint encoding, as well as the corresponding PIR protocols, which indeed outperformed the separate MDS-coded systems. Moreover, we show that a simple, but novel expansion technique allows us to generalize these two classes of codes, resulting in a wider range of the cases where this capacity barrier can be broken.

Keywords:

private information retrieval; maximum distance separable codes; capacity## 1. Introduction

Private information retrieval (PIR) [1] has attracted significant attention from researchers in the fields of theoretical computer science, cryptography, information theory, and coding theory. In the classical PIR model, a user wishes to retrieve one of the K available messages, from N non-communicating databases, each of which has a copy of these K messages. User privacy needs to be preserved during the retrieval process, which requires that the identity of the desired message not be revealed to any single database. To accomplish the task efficiently, good codes need to be designed such that the least amount of data should be downloaded. The inverse of the minimum amount of the downloaded data per-bit of desired message is referred to as the capacity of the PIR system. The capacity of the classical PIR system was characterized precisely in a recent work by Sun and Jafar [2].

In distributed systems, databases may fail; moreover, each storage node (database) is also constrained on the storage space. Erasure codes can be used to improve both storage efficiency and failure resistance, which motivated the investigation of PIR from data encoded with maximum distance separable (MDS) codes [3,4,5,6,7], with coding parameter $(N,T)$, i.e., the messages can be recovered by accessing any T databases. The capacity of PIR from MDS-coded databases (MDS-PIR) was characterized by Banawan and Ulukus [5], which is usually referred to as the MDS-PIR capacity colloquially.

In all these existing works, the storage code was designed such that each message was independently encoded and stored in the databases and thus could also be recovered individually. In fact, even when the storage codes are not necessarily MDS codes, most existing works on the capacity of private information retrieval assumed this separate coding architecture [8,9,10,11,12,13], and the only exceptions we are aware of are [14,15,16]. Though the architecture of separately encoding each message offers a simple storage solution with good data reliability, it is by no means the only possible MDS storage coding strategy. Instead, the messages can be stored jointly using an MDS code, which could provide the same level of data reliability at the same amount of storage overhead. Motivated by this simple observation, which was first mentioned as a footnote in [15] and can be further traced back to a code example in [14], we ask the following natural question: When can the MDS-PIR capacity barrier, which was established in [5] for separately encoding the messages using an MDS code, be broken, by allowing joint encoding of the messages using an MDS code?

In this work, we show that there are many cases, where through jointly encoding and storing the messages, the messages can be protected using an $(N,T)$ MDS code, but retrieved with less data download than the separate coding architecture. In other words, the capacity barrier for separately encoding the messages can be broken for these cases. More precisely, the mathematical question we ask is under what $(K,N,T)$ parameters jointly encoding and storing the MDS-coded messages can provide strict PIR retrieval rate improvement; we show that this can be done at least in the following two cases:

- $(K,N,T)=(2,N,2)$ and $N\ge 3$;
- $(K,N,T)=(K,K+1,K)$ and $K\ge 2$.

To establish this result, we provide two novel code constructions and PIR protocols, which yield strict performance improvement over the strategy of encoding and storing messages separately using an MDS code. Moreover, we show that through a simple, but novel code expansion technique, the MDS-PIR capacity barrier can also be broken for the following cases for an arbitrary integer $m\ge 1$:

- $(K,N,T)=(2,mN,2m)$ and $N\ge 3$;
- $(K,N,T)=(K,m(K+1),mK)$ and $K\ge 2$.

It should be noted that related to the line of works that focus on PIR capacity, there exists another interesting line of work in coding theory [17,18,19,20,21,22] focusing on a different metric—the virtual server rate [19]—which studies how to store the messages jointly such that a minimum number of servers are used to simulate existing PIR protocols. In contrast to our current work, since the resulting joint storage code is not required to be MDS, it often turns out to be non-MDS, and thus cannot be compared directly.

The rest of the paper is organized as follows. In Section 2, we provide a precise description of the system model and problem formulation. In Section 3 and Section 4, we provide two novel joint coding storage codes and PIR protocols. In Section 5, we present a technique that yields more general classes of the codes, which can strictly improve upon separately encoding and storing the messages. Section 6 finally concludes the paper.

## 2. System Model and Problem Formulation

In this section, we first provide a formal description of the system model, then proceed to pose the problem we seek to answer in this work. A couple of additional remarks to clarify the relation between our system model and those seen in the literature are given at the end of the section.

#### 2.1. System Model

There is a total of K mutually-independent messages ${W}^{1},{W}^{2},\dots ,{W}^{K}$ in the system. Each message is uniformly distributed over ${\mathcal{X}}^{L}$, i.e., the set of length L sequences in the finite alphabet $\mathcal{X}$. The messages are MDS-coded and then distributed to N databases, such that from any T databases, the messages can be fully recovered. Since the messages are $(N,T)$ MDS-coded, it is without loss of generality to assume that $L\xb7K=M\xb7T$ for some integer M.

When a user wishes to retrieve a particular message ${W}^{{k}^{*}}$, N queries ${Q}_{1:N}^{\left[{k}^{*}\right]}=({Q}_{1}^{\left[{k}^{*}\right]},\dots ,{Q}_{N}^{\left[{k}^{*}\right]})$ are sent to the databases, where ${Q}_{n}^{\left[{k}^{*}\right]}$ is the query for database n. The retrieval needs to be information theoretically private, i.e., any database is not able to infer any knowledge as to which message is being requested. For this purpose, a random key $\mathsf{F}$ in the set $\mathcal{F}$ is used together with the desired message index ${k}^{*}$ to generate the set of queries ${Q}_{1:N}^{\left[{k}^{*}\right]}$. Each query ${Q}_{n}^{\left[{k}^{*}\right]}$ belongs to the set of allowed queries for database n, denoted as ${\mathcal{Q}}_{n}$. After receiving query ${Q}_{n}^{\left[{k}^{*}\right]}$, database n responds with an answer ${A}_{n}^{\left[{k}^{*}\right]}$. Each symbol in the answers from database n belongs to a finite field ${\mathcal{A}}_{n}$, and the answers may have multiple (and different numbers of) symbols. Using the answers ${A}_{1:N}^{\left[{k}^{*}\right]}$ from all N databases, together with $\mathsf{F}$ and ${k}^{*}$, the user then reconstructs ${\widehat{W}}^{{k}^{*}}$. We shall refer to such a system as a $(K,N,T)$ MDS-PIR system.

A more rigorous definition of a $(K,N,T)$ system can be specified by a set of coding functions as follows. In the following, we denote the cardinality of a set $\mathcal{B}$ as $\left|\mathcal{B}\right|$.

**Definition**

**1.**

A $(K,N,T)$ MDS-PIR code consists of the following coding components:

- 1.
- A set of MDS encoding functions:$$\begin{array}{c}\hfill {\Phi}_{n}:={\mathcal{X}}^{LK}\to {\mathcal{X}}^{M},\phantom{\rule{0.166667em}{0ex}}n\in \{1,\dots ,N\},\end{array}$$
- 2.
- A set of MDS decoding recovery functions:$$\begin{array}{c}\hfill {\Psi}_{\mathcal{T}}:{\mathcal{X}}^{LK}\to {\mathcal{X}}^{LK},\end{array}$$
- 3.
- A query function:$$\begin{array}{c}{\varphi}_{n}:\{1,\dots ,K\}\times \mathcal{F}\to {\mathcal{Q}}_{n},\phantom{\rule{1.em}{0ex}}n\in \{1,\dots ,N\},\end{array}$$
- 4.
- An answer length function:$$\begin{array}{c}\hfill {\ell}_{n}:{\mathcal{Q}}_{n}\to \{0,1,\dots \},\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{1.em}{0ex}}n\in \{1,\dots ,N\},\end{array}$$
- 5.
- An answer-generating function:$$\begin{array}{c}\hfill {\varphi}_{n}^{\left({q}_{n}\right)}:{\mathcal{X}}^{M}\times {\mathcal{Q}}_{n}\to {\mathcal{A}}_{n}^{{\ell}_{n}},\phantom{\rule{1.em}{0ex}}{q}_{n}\in {\mathcal{Q}}_{n},\phantom{\rule{0.166667em}{0ex}}n\in \{1,\dots ,N\},\end{array}$$
- 6.
- A reconstruction function:$$\begin{array}{c}\hfill \psi :\prod _{n=1}^{N}{\mathcal{A}}_{n}^{{\ell}_{n}}\times \{1,\dots ,K\}\times \mathcal{F}\to {\mathcal{X}}^{L},\end{array}$$

These functions satisfy the following three requirements:

- 1.
- MDS recoverable: For any $\mathcal{T}\subseteq \{1,\dots ,N\}$ such that $\left|\mathcal{T}\right|=T$, we have ${\tilde{W}}_{\mathcal{T}}^{1:K}={W}^{1:K}$.
- 2.
- Retrieval correctness: For any ${k}^{*}\in \{1,\dots ,K\}$, we have ${\widehat{W}}^{{k}^{*}}={W}^{{k}^{*}}$.
- 3.
- Privacy: For every $k,{k}^{\prime}\in \{1,\dots ,K\}$, $n\in \{1,\dots ,N\}$ and $q\in {\mathcal{Q}}_{n}$,$$\begin{array}{c}\hfill \mathbf{Pr}({Q}_{n}^{\left[k\right]}=q)=\mathbf{Pr}({Q}_{n}^{\left[{k}^{\prime}\right]}=q).\end{array}$$

The retrieval rate is defined as:
This is the number of bits of desired message information that can be privately retrieved per bit of downloaded data. The maximum possible retrieval rate is referred to as the capacity of the $(K,N,T)$ system.

$$\begin{array}{c}\hfill R:=\frac{Llog\left|\mathcal{X}\right|}{{\sum}_{n=1}^{N}\mathbb{E}\left({\ell}_{n}\right)log\left|{\mathcal{A}}_{n}\right|}.\end{array}$$

#### 2.2. Separate vs. Joint MDS Storage Codes

In the general problem definition we have provided above, the MDS encoding functions ${\Phi}_{n}$ allow the messages to be jointly encoded. For example, suppose we have $K=2$ messages, $N=3$ databases, and from any $T=2$ databases, we may decode both messages. A simple jointly-encoded MDS storage code is as follows. Each message has $L=2$ bits, denoted as ${W}^{1}=({a}_{1},{a}_{2}),{W}^{2}=({b}_{1},{b}_{2})$. Each database stores $M=LK/T=2$ bits, i.e., Database 1 stores $({a}_{1},{a}_{2})$, Database 2 stores $({b}_{1},{b}_{2})$, and Database 3 stores $({a}_{1}+{b}_{1},{a}_{2}+{b}_{2})$. However, in almost all existing works in the literature, e.g., [3,5,7,23,24,25,26], the messages are encoded separately. In other words, the MDS encoding functions have the special form:
where:
which encodes message ${W}^{k}$ into its MDS-coded form to be stored at database n. Correspondingly, the MDS decoding functions have the form:
where:
which decodes message k from the information regarding ${W}^{k}$ stored in the databases in the set $\mathcal{T}$. Particularly, since most practical MDS codes are linear, several existing works have directly assumed the MDS encoding functions to be linear, and moreover, the component coding functions ${\Phi}_{n}^{k}$ for different messages ${W}^{k}$’s are the same; see, e.g., [5,23]. In other words, in this class of codes, the encoding function ${\Phi}_{n}^{k}$ can be written as the multiplication of the message vector ${W}^{k}$ with an $L\times M/K$ encoding matrix ${G}_{n}$, whose elements are also in the finite field $\mathcal{X}$. To compare with the jointly-encoded MDS storage example above, we consider the same setting where $K=2$ messages, $L=2$ bits per message, $N=3$ servers, and the MDS parameter $T=2$. A separate MDS storage code where each database stores $M/K$ = 1 bit per message is as follows. Database 1 stores $({a}_{1},{b}_{1})$; Database 2 stores $({a}_{2},{b}_{2})$; and Database 3 stores $({a}_{1}+{a}_{2},{b}_{1}+{b}_{2})$. It is easy to see that for separately-encoded MDS storage codes, the storage space is divided evenly for each message, and each divided storage space can only be a function of the corresponding message.

$$\begin{array}{c}\hfill {\Phi}_{n}=({\Phi}_{n}^{1},{\Phi}_{n}^{2},\dots ,{\Phi}_{n}^{K}),\end{array}$$

$$\begin{array}{c}\hfill {\Phi}_{n}^{k}:{\mathcal{X}}^{L}\to {\mathcal{X}}^{M/K},\phantom{\rule{0.166667em}{0ex}}n\in \{1,\dots ,N\},k\in \{1,\dots ,K\},\end{array}$$

$$\begin{array}{c}\hfill {\Psi}_{\mathcal{T}}=({\Psi}_{\mathcal{T}}^{1},{\Psi}_{\mathcal{T}}^{2},\dots ,{\Psi}_{\mathcal{T}}^{K}),\end{array}$$

$$\begin{array}{c}\hfill {\Psi}_{\mathcal{T}}^{k}:{\mathcal{X}}^{L}\to {\mathcal{X}}^{L},\phantom{\rule{1.em}{0ex}}k\in \{1,\dots ,K\},\end{array}$$

Let us denote the capacity of the $(K,N,T)$ MDS-PIR system as $C(K,N,T)$, that of separate MDS coding as ${C}_{\perp}(K,N,T)$, and that of separate linear MDS coding with a uniform component function as ${C}_{\oplus}(K,N,T)$. It is clear from the definitions that:
It was shown in [5] that:
However, a close inspection of the converse proof in [5] reveals that:

$$\begin{array}{c}\hfill C(K,N,T)\ge {C}_{\perp}(K,N,T)\ge {C}_{\oplus}(K,N,T).\end{array}$$

$$\begin{array}{c}\hfill {C}_{\oplus}(K,N,T)={\left(1+\frac{T}{N}+\cdots +{\left(\frac{T}{N}\right)}^{K-1}\right)}^{-1}.\end{array}$$

$$\begin{array}{c}\hfill {C}_{\perp}(K,N,T)={C}_{\oplus}(K,N,T).\end{array}$$

The issue we thus wish to understand in this work is the relation between $C(K,N,T)$ and ${C}_{\perp}(K,N,T)$. In particular, we wish to identify the set of the $(K,N,T)$ triples such that:
if the set is not empty. We shall show in this work that such triples indeed exist, and they in fact span a rather wide range.

$$\begin{array}{c}\hfill C(K,N,T)>{C}_{\perp}(K,N,T),\end{array}$$

#### 2.3. Further Remarks on the System Model

The result in [5] is in fact slightly stronger than we stated in (13). Let us assume a particular MDS storage code $\mathcal{C}$ is used in the $(K,N,T)$ system, then the corresponding capacities of the $(K,N,T)$ systems as described above can be denoted as $C(K,N,T,\mathcal{C})$, ${C}_{\perp}(K,N,T,\mathcal{C})$, and ${C}_{\oplus}(K,N,T,\mathcal{C})$, respectively. The result in [5] can then be stated as that for any linear MDS code $\mathcal{C}$,
It is natural to ask whether for any particular MDS code $\mathcal{C}$, which is not necessarily linear or does not necessarily use a uniform component MDS coding function, whether ${C}_{\perp}(K,N,T,\mathcal{C})={C}_{\perp}(K,N,T)$ and, more generally, whether for any MDS code $\mathcal{C}$, $C(K,N,T,\mathcal{C})=C(K,N,T)$. We believe this is in general not true; however, it appears difficult to prove or disprove this conjecture.

$$\begin{array}{c}\hfill {C}_{\oplus}(K,N,T,\mathcal{C})={C}_{\oplus}(K,N,T)={\left(1+\frac{T}{N}+\cdots +{\left(\frac{T}{N}\right)}^{K-1}\right)}^{-1}.\end{array}$$

The MDS recovery requirement implies the following information theoretic relation:
for any $\mathcal{T}\subseteq \{1,2,\dots ,N\}$ and $\left|\mathcal{T}\right|=T$. These conditions can be used to derive converse results for a $(K,N,T)$ system and sometimes are stated directly (e.g., [24]) as the MDS recovery requirement, instead of enforcing the MDS recovery property on the coding functions.

$$\begin{array}{c}\sum _{n\in \mathcal{T}}H\left({\Phi}_{n}\left({W}^{1:K}\right)\right)=KLlog\left|\mathcal{X}\right|,\end{array}$$

$$\begin{array}{c}H\left({W}^{1:K}\right|{\Phi}_{n}\left({W}^{1:K}\right),n\in \mathcal{T})=0,\end{array}$$

## 3. Code Construction: $(\mathit{K},\mathit{N},\mathit{T})=(2,\mathit{N},2),\mathit{N}\ge 3$

In this section, we present the storage and PIR code construction when $K=T=2,N\ge 3$ and show that the PIR rate achieved with the proposed joint MDS storage code is strictly higher than the capacity of PIR with separate MDS storage code, i.e., $C(2,N,2)>{C}_{\perp}(2,N,2)$.

#### 3.1. Example: $N=4$

To illustrate the main idea in a simpler setting, we start with an example where $N=4$. We set the message size $L=3$ so that each message consisted of three symbols from ${\mathbb{F}}_{3}$. Denote ${W}^{1}=({a}_{0};{a}_{1};{a}_{2})\in {\mathbb{F}}_{3}^{3\times 1},{W}^{2}=({b}_{0};{b}_{1};{b}_{2})\in {\mathbb{F}}_{3}^{3\times 1}$.

Storage code: From the joint MDS storage code constraint, each database stores $\frac{LK}{T}=3$ symbols, and the stored variables are specified in Table 1.

It is easy to verify that we may recover both messages from the storage of any two databases. For example, consider Database 3 and Database 4. It suffices to show that $({a}_{1}-2{a}_{2};{a}_{2}-2{a}_{0};{a}_{0}-2{a}_{1})$ are invertible to ${W}^{1}=({a}_{0};{a}_{1};{a}_{2})$. Equivalently, we show that the following matrix has full rank over ${\mathbb{F}}_{3}$.

$$\begin{array}{c}\hfill \left[\begin{array}{ccc}0& 1& -2\\ -2& 0& 1\\ 1& -2& 0\end{array}\right]\to \left[\begin{array}{ccc}0& 1& 1\\ 1& 0& 1\\ 1& 1& 0\end{array}\right]\to det\left[\begin{array}{ccc}0& 1& 1\\ 1& 0& 1\\ 1& 1& 0\end{array}\right]=2\ne 0\end{array}$$

PIR code: When we retrieve ${W}^{1}$, the answers are shown in Table 2.

When we retrieve ${W}^{2}$, the answers are shown in Table 3.

Correctness and privacy: Both correctness and privacy are easy to verify. Correctness follows from the observation that from the four symbols downloaded (one from each database), we may decode the three desired symbols, as only one undesired symbol appears in the answers. Privacy is guaranteed because no matter which message is desired, for each database, the answers are identically distributed. For example, consider Database 3. The answers are equally likely to be ${a}_{0}+{b}_{2},{a}_{1}+{b}_{0}$, and ${a}_{2}+{b}_{1}$, regardless of the desired message index.

Rate that outperforms separate MDS-PIR capacity: The desired message has $L=3$ symbols, and we are downloading one symbol from each database, ${l}_{n}=1,\forall n\in \{1,2,3,4\}$. Then, the rate achieved is $\frac{L}{{\sum}_{n}{l}_{n}}=\frac{3}{4}\le C(2,4,2)$, which is strictly higher than ${C}_{\perp}(2,4,2)={(1+\frac{2}{4})}^{-1}=\frac{2}{3}$, the capacity of the separate MDS storage code.

#### 3.2. General Proof: Arbitrary $N\ge 3$

We set message size $L=N-1$, then each message consisted of $N-1$ symbols from ${\mathbb{F}}_{{p}^{m}}$ for a prime number p and an integer m such that ${p}^{m}\ge (N-3)(N-1)+2$. The primitive element of the finite field ${\mathbb{F}}_{{p}^{m}}$ is denoted as $\alpha $. Denote ${W}^{1}=({a}_{0};{a}_{1};\cdots ;{a}_{N-2})\in {\mathbb{F}}_{{p}^{m}}^{(N-1)\times 1},{W}^{2}=({b}_{0};{b}_{1};\cdots ;{b}_{N-2})\in {\mathbb{F}}_{{p}^{m}}^{(N-1)\times 1}$.

Storage code: From the joint MDS storage code constraint, each database stores $\frac{LK}{T}=N-1$ symbols, and the stored variables ${S}_{n}\in {\mathbb{F}}_{{p}^{m}}^{(N-1)\times 1},n\in \{1,\cdots ,N\}$ are set as follows.

Denote the cyclically-shifted message vector as ${\tilde{W}}^{1}\left(i\right)=({a}_{\overline{i}};{a}_{\overline{i+1}};\cdots ;{a}_{\overline{i+N-2}}),i\in \{1,\cdots ,N-2\}$ where $\overline{i}=i\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}(N-1)$, i.e., the symbol indices are interpreted modulo $N-1$.
Specifically,

$$\begin{array}{cc}\hfill {S}_{1}& ={W}^{1}\hfill \end{array}$$

$$\begin{array}{cc}\hfill {S}_{2}& ={W}^{2}\hfill \end{array}$$

$$\begin{array}{cc}\hfill {S}_{3}& =\alpha {\tilde{W}}^{1}\left(1\right)+{W}^{2}\hfill \end{array}$$

$$\begin{array}{c}\vdots \hfill \end{array}$$

$$\begin{array}{cc}\hfill {S}_{n}& ={\alpha}^{n-2}{\tilde{W}}^{1}(n-2)+{W}^{2}\hfill \end{array}$$

$$\begin{array}{c}\vdots \hfill \end{array}$$

$$\begin{array}{cc}\hfill {S}_{N}& ={\alpha}^{N-2}{\tilde{W}}^{1}(N-2)+{W}^{2}\hfill \end{array}$$

$$\begin{array}{c}{S}_{1}=({S}_{1,0};\cdots ;{S}_{1,N-2})=({a}_{0};\cdots ;{a}_{N-2})\hfill \end{array}$$

$$\begin{array}{c}{S}_{2}=({S}_{2,0};\cdots ;{S}_{2,N-2})=({b}_{0};\cdots ;{b}_{N-2})\hfill \end{array}$$

$$\begin{array}{c}{S}_{n}=({S}_{n,0};\cdots ;{S}_{n,N-2})=({\alpha}^{n-2}{a}_{\overline{n-2}}+{b}_{0};\cdots ;{\alpha}^{n-2}{a}_{\overline{n+N-4}}+{b}_{N-2}),n\in \{3,\cdots ,N\}\hfill \end{array}$$

The proof that the above storage code satisfies the MDS criterion is deferred to Section 3.2.1.

PIR code: When we retrieve ${W}^{1}$, the answers are set as follows. $\mathsf{F}$ is uniformly distributed over $\{0,1,\cdots ,N-2\}$. When $\mathsf{F}=f\in \{0,1,\cdots ,N-2\}$, we set:

$$\begin{array}{c}{A}_{1}^{[1]}={S}_{1,f}={a}_{f}\hfill \end{array}$$

$$\begin{array}{c}{A}_{2}^{[1]}={S}_{2,f}={b}_{f}\hfill \end{array}$$

$$\begin{array}{c}{A}_{3}^{[1]}={S}_{3,f}=\alpha {a}_{\overline{f+1}}+{b}_{f}\hfill \end{array}$$

$$\begin{array}{c}\vdots \hfill \end{array}$$

$$\begin{array}{c}{A}_{n}^{[1]}={S}_{n,f}={\alpha}^{n-2}{a}_{\overline{f+n-2}}+{b}_{f}\hfill \end{array}$$

$$\begin{array}{c}\vdots \hfill \end{array}$$

$$\begin{array}{c}{A}_{N}^{[1]}={S}_{N,f}={\alpha}^{N-2}{a}_{\overline{f+N-2}}+{b}_{f}\hfill \end{array}$$

When we retrieve ${W}^{2}$, the answers are set as follows. $\mathsf{F}$ is uniformly distributed over $\{0,1,\cdots ,N-2\}$. When $\mathsf{F}=f\in \{0,1,\cdots ,N-2\}$, we set:

$$\begin{array}{c}{A}_{1}^{[2]}={S}_{1,f}={a}_{f}\hfill \end{array}$$

$$\begin{array}{c}{A}_{2}^{[2]}={S}_{2,f}={b}_{f}\hfill \end{array}$$

$$\begin{array}{c}{A}_{3}^{[2]}={S}_{3,\overline{f-1}}=\alpha {a}_{f}+{b}_{\overline{f-1}}\hfill \end{array}$$

$$\begin{array}{c}\vdots \hfill \end{array}$$

$$\begin{array}{c}{A}_{n}^{[2]}={S}_{n,\overline{f-(n-2)}}={\alpha}^{n-2}{a}_{f}+{b}_{\overline{f-(n-2)}}\hfill \end{array}$$

$$\begin{array}{c}\vdots \hfill \end{array}$$

$$\begin{array}{c}{A}_{N}^{[2]}={S}_{N,\overline{f-(N-2)}}={\alpha}^{N-2}{a}_{f}+{b}_{\overline{f-(N-2)}}\hfill \end{array}$$

Correctness and privacy: Similar to the example presented in the previous section, both correctness and privacy are easy to verify. Correctness follows from the observation that the N symbols downloaded (one from each database) contain all $N-1$ desired symbols and only one undesired symbol. Specifically, when ${W}^{1}$ is desired, we may recover ${W}^{1}$ from $({A}_{1}^{[1]},{A}_{3}^{[1]}-{A}_{2}^{[1]},\cdots ,{A}_{N}^{[1]}-{A}_{2}^{[1]})$, and when ${W}^{2}$ is desired, we may recover ${W}^{2}$ from $({A}_{2}^{[2]},{A}_{3}^{[2]}-\alpha {A}_{1}^{[2]},\cdots ,{A}_{N}^{[2]}-{\alpha}^{N-2}{A}_{1}^{[2]})$. Privacy is guaranteed because no matter which message is desired, ${A}_{n}^{[1]}$ and ${A}_{n}^{[2]}$ are identically distributed. For $n=1,2$, this is trivial to see; when $n\ge 3$, since ${A}_{n}^{[1]}={S}_{n,f}$, ${A}_{n}^{[2]}={S}_{n,\overline{f-(n-2)}}$ and $f\in \{0,1,\cdots ,N-2\}$, it is seen that f and $\overline{f-(n-2)}=(f-(n-2))\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}(N-2)$ take values from the same set $\{0,1,\cdots ,N-2\}$ for any n, and moreover, the queries follow the same uniform distribution on this set for both messages.

Rate that outperforms separate MDS-PIR capacity: The desired message has $L=N-1$ symbols, and we are downloading one symbol from each database, ${l}_{n}=1,\forall n\in \{1,\cdots ,N\}$. Then, the rate achieved is $\frac{L}{{\sum}_{n}{l}_{n}}=\frac{N-1}{N}\le C(2,N,2)$. When $N\ge 3$, $C(2,N,2)\ge \frac{N-1}{N}>\frac{N}{N+2}={C}_{\perp}(2,N,2)$, the capacity of separate MDS storage code.

#### 3.2.1. Proof of MDS Storage Criterion

We show that from the stored variables of any two databases, ${S}_{i},{S}_{j},i<j,i,j\in \{1,\cdots ,N\}$, we may recover both ${W}^{1}$ and ${W}^{2}$.

When $i=1,2$, the proof is immediate. Henceforth, we consider $i\ge 3$. To show that from $({S}_{i},{S}_{j})$, we may recover $({W}^{1},{W}^{2})$, it suffices to prove that from ${S}_{i}-{S}_{j}$, we may recover ${W}^{1}$. Note that:
where ${\mathbf{C}}_{i,j}$ is an $(N-1)\times (N-1)$ circulant matrix whose rows consist of all possible cyclic shifts of the following $1\times (N-1)$ row vector,
We are left to prove the circulant matrix ${\mathbf{C}}_{i,j}$ has full rank. From a result by Ingleton [27], a circulant matrix has full rank if the following two polynomials have no common root.
To show that $f\left(x\right),g\left(x\right)$ have no common root for all integers $i,j,3\le i<j\le N$, we prove by contradiction. Suppose on the contrary that there exists an element ${x}_{0}\in {\mathbb{F}}_{{p}^{m}}$ and two integers $i,j,3\le i<j\le N$ such that $f\left({x}_{0}\right)=0$ and $g\left({x}_{0}\right)=0$, i.e.,
Taking (50) to the $(N-1)\mathrm{th}$ power, we have:
Note that $(j-i)(N-1)\le (N-3)(N-1)$. Combining with the assumption that ${p}^{m}-2\ge (N-3)(N-1)$ and $\alpha $ is a primitive element of ${\mathbb{F}}_{{p}^{m}}$, we have [28]:
which contradicts (52). The proof is now complete.

$$\begin{array}{cc}\hfill {S}_{i}-{S}_{j}& ={\alpha}^{i-2}{\tilde{W}}^{1}(i-2)-{\alpha}^{j-2}{\tilde{W}}^{1}(j-2)\hfill \end{array}$$

$$\begin{array}{c}=({\alpha}^{i-2}{a}_{\overline{i-2}}-{\alpha}^{j-2}{a}_{\overline{j-2}};\cdots ;{\alpha}^{i-2}{a}_{\overline{i+N-4}}-{\alpha}^{j-2}{a}_{\overline{j+N-4}})\hfill \end{array}$$

$$\begin{array}{c}={\mathbf{C}}_{i,j}({a}_{0};\cdots ;{a}_{N-2})\hfill \end{array}$$

$$\begin{array}{c}\hfill \mathbf{c}=({c}_{0},{c}_{1},\cdots ,{c}_{N-2})=({\alpha}^{i-2},\underset{j-i-1\phantom{\rule{3.33333pt}{0ex}}{0}^{\prime}s}{\underbrace{0,\cdots ,0}},-{\alpha}^{j-2},0,\cdots ,0).\end{array}$$

$$\begin{array}{cc}\hfill f\left(x\right)& ={c}_{0}+{c}_{1}x+\cdots {c}_{N-2}{x}^{N-2}={\alpha}^{i-2}-{\alpha}^{j-2}{x}^{j-i},\hfill \end{array}$$

$$\begin{array}{cc}\hfill g\left(x\right)& ={x}^{N-1}-1.\hfill \end{array}$$

$$\begin{array}{cc}\hfill {\alpha}^{i-2}& ={\alpha}^{j-2}{{x}_{0}}^{j-i}\hfill \end{array}$$

$$\begin{array}{cc}\hfill {x}_{0}^{N-1}& =1\hfill \end{array}$$

$$\begin{array}{cc}\hfill {\alpha}^{(i-2)(N-1)}& ={\alpha}^{(j-2)(N-1)}{\left({{x}_{0}}^{N-1}\right)}^{j-i}\hfill \end{array}$$

$$\begin{array}{cc}\hfill \stackrel{\left(51\right)}{\Rightarrow}{\alpha}^{(i-2)(N-1)}& ={\alpha}^{(j-2)(N-1)}\hfill \end{array}$$

$$\begin{array}{cc}\hfill \Rightarrow \phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}1& ={\alpha}^{(j-i)(N-1)}\hfill \end{array}$$

$$\begin{array}{c}\hfill 1\notin \{\alpha ,{\alpha}^{2},{\alpha}^{3},\cdots ,{\alpha}^{{p}^{m}-2}\}\Rightarrow {\alpha}^{(j-i)(N-1)}\ne 1,\end{array}$$

**Remark**

**1.**

The field size may be further reduced by a result from [29]. To ensure ${\mathbf{C}}_{i,j}$ has full rank, it suffices to ensure $f\left(x\right)$ and ${g}^{\prime}\left(x\right)={x}^{r}-1$ have no common root, where $N-1=r{p}^{l}$ and $p,r$ are co-prime [29]. Using this result and following similar proof steps as above, we may set ${p}^{m}\ge (N-3)r+2$. Note that here, r depends on p, so to find the smallest field size, we may search by first fixing p.

## 4. Code Construction: $(\mathit{K},\mathit{N},\mathit{T})=(\mathit{K},\mathit{K}+1,\mathit{K}),\mathit{K}\ge 2$

In this section, we present the storage and PIR code construction when $N=K+1=T+1$ and show that the PIR rate achieved with the proposed joint MDS storage code is strictly higher than the capacity of PIR with separate MDS storage code, i.e., $C(K,K+1,K)>{C}_{\perp}(K,K+1,K)$.

#### 4.1. Example: $(K,N,T)=(3,4,3)$

To illustrate the main idea in a simpler setting, we start with an example where $K=3,N=4,T=3$. We set the message size $L=2$ so that each message consisted of two bits from ${\mathbb{F}}_{2}$. Denote ${W}^{1}=({a}_{1};{a}_{2}),{W}^{2}=({b}_{1};{b}_{2}),{W}^{3}=({c}_{1};{c}_{2})$.

Storage code: From the joint MDS storage code constraint, each database stores $\frac{LK}{T}=2$ bits, and the stored variables are specified in Table 4.

The MDS storage criterion is easily verified, i.e., we may recover both messages from the storage of any three databases.

PIR code: When we retrieve ${W}^{1}$, the answers are shown in Table 5.

Correctness and privacy: Both correctness and privacy are easy to see.

Rate that outperforms separate MDS-PIR capacity: The rate achieved was $\frac{L}{{\sum}_{n}{l}_{n}}=\frac{2}{4}=\frac{1}{2}\le C(3,4,3)$, which was strictly higher than ${C}_{\perp}(3,4,3)={(1+\frac{3}{4}+{\left(\frac{3}{4}\right)}^{2})}^{-1}=\frac{16}{37}$, the capacity of separate MDS storage code.

#### 4.2. General Proof: $(K,N,T)=(K,K+1,K),K\ge 2$

The proof is a simple generalization of the example presented above. We set $L=2$, and each message consisted of two bits from ${\mathbb{F}}_{2}$. Denote ${W}^{k}=({W}_{1}^{k};{W}_{2}^{k}),k\in \{1,\cdots ,K\}$.

Storage code: Each database stores $\frac{LK}{T}=2$ bits, and the stored variables are specified in Table 8. Note that $K=T=N-1$.

The MDS storage criterion is easily verified, i.e., we may recover both messages from the storage of any $T=N-1$ databases.

PIR code: When we retrieve ${W}^{k}$, the answers are shown in Table 9.

Correctness and privacy: These follow immediately.

Rate that outperforms separate MDS-PIR capacity: The rate achieved was $\frac{L}{{\sum}_{n}{l}_{n}}=\frac{2}{N}\le C(K,K+1,K)$, while the capacity of separate MDS storage code was ${C}_{\perp}(K,K+1,K)={(1+\frac{N-1}{N}+\cdots +{\left(\frac{N-1}{N}\right)}^{N-1})}^{-1}=\frac{1-\frac{N-1}{N}}{1-{\left(\frac{N-1}{N}\right)}^{N}}=\frac{1}{N(1-{\left(\frac{N-1}{N}\right)}^{N})}$. To prove $C(K,K+1,K)>{C}_{\perp}(K,K+1,K)$, it remains to show that:
The proof is thus complete.

$$\begin{array}{cc}\hfill \frac{2}{N}& >\frac{1}{N(1-{\left(\frac{N-1}{N}\right)}^{N})}\hfill \end{array}$$

$$\begin{array}{cc}\hfill \iff {(1-\frac{1}{N})}^{N}& <\frac{1}{2}\hfill \end{array}$$

$$\begin{array}{cc}\hfill \Leftarrow {(1-\frac{1}{N})}^{N}& \le \frac{1}{e}<\frac{1}{2}.\hfill \end{array}$$

## 5. Regime Expansion Building upon Base Codes

We show that the two classes of base codes presented in previous sections for $(K,N,T)$ systems can be extended to $(K,mN,mT)$ systems (m is a positive integer). We present this result in the next two subsections, one for each class of base codes. Let us start from the simpler case of $(K,K+1,K)$ systems.

#### 5.1. From $(K,K+1,K)$ to $(K,m(K+1),mK)$ Systems

We show that $C(K,m(K+1),mK)>{C}_{\perp}(K,m(K+1),mK)$, where $K\ge 2$ and m is a positive integer.

The key idea is that we may split the messages and databases into m generic copies so that the same PIR rate is preserved. Note that the separate MDS-PIR capacity is a function of $\frac{T}{N}$, i.e., ${C}_{\perp}(K,m(K+1),mK)={C}_{\perp}(K,K+1,K)$. As $C(K,K+1,K)>{C}_{\perp}(K,K+1,K)$, it suffices to provide a joint MDS storage code for a $(K,m(K+1),mK)$ system that achieves the same PIR rate as that of a $(K,K+1,K)$ system (i.e., rate $\frac{2}{K+1}$). Such a storage and PIR code construction is presented next.

Each message is “multiplied” by m, so that we set $L=2m$, and each message consists of $2m$ symbols from ${\mathbb{F}}_{q}$, where q is an integer power of a prime number and is no fewer than $(m+1)K$. To highlight that the message symbols form two segments, we denote ${W}^{k}=({\mathbf{W}}_{1}^{k};{\mathbf{W}}_{2}^{k})\in {\mathbb{F}}_{q}^{2\times m}$, where ${\mathbf{W}}_{i}^{k}=({W}_{i,1}^{k},\cdots ,{W}_{i,m}^{k})\in {\mathbb{F}}_{q}^{1\times m},i\in \{1,2\}$.

Storage code: Each database stores $\frac{LK}{T}=2$ symbols, as specified in Table 10. For the ease of presentation, the $N=m(K+1)$ databases are divided into $K+1$ groups (m databases each) and labeled as $DB(1,1),\cdots ,DB(1,m),\cdots ,DB(K+1,m)$. Denote a group of databases as $\mathbf{DB}(k,:)$$=\left(DB(k,1),\cdots ,DB(k,m)\right),k\in \{1,2,\cdots ,K+1\}$. A database in group $k,k\in \{1,\cdots ,K\}$ stores two distinct ${W}^{k}$ symbols (one from ${\mathbf{W}}_{1}^{k}$ and one from ${\mathbf{W}}_{2}^{k}$). The $(K+1)\mathrm{th}$ group of databases stores generic combinations of the message symbols. Denote ${\mathbf{W}}_{1}=({\left({\mathbf{W}}_{1}^{1}\right)}^{T};\cdots ;{\left({\mathbf{W}}_{1}^{K}\right)}^{T})\in {\mathbb{F}}_{q}^{mK\times 1},{\mathbf{W}}_{2}=({\left({\mathbf{W}}_{2}^{1}\right)}^{T};\cdots ;{\left({\mathbf{W}}_{2}^{K}\right)}^{T})\in {\mathbb{F}}_{q}^{mK\times 1}$. $\mathbf{C}(i,:)\in {\mathbb{F}}_{q}^{1\times mK},i\in \{1,\cdots ,m\}$ denotes the $i\mathrm{th}$ row of an $m\times mK$ Cauchy matrix $\mathbf{C}$ with elements $\mathbf{C}(i,j)$ in the form:
Note that $q\ge (m+1)K$; therefore, such distinct ${\alpha}_{i}$’s and ${\beta}_{j}$’s exist.

$$\begin{array}{c}\hfill \mathbf{C}(i,j)=\frac{1}{{\alpha}_{i}-{\beta}_{j}},{\alpha}_{i}\ne {\beta}_{j},\forall i\in \{1,\cdots ,m\},j\in \{1,\cdots ,mK\}.\end{array}$$

We now verify that the MDS storage criterion is satisfied, i.e., both messages can be recovered from the storage of any $T=mK$ databases. The two message segments ${\mathbf{W}}_{1},{\mathbf{W}}_{2}$ are encoded in the same manner, so it suffices to consider one segment, say Segment $1,{\mathbf{W}}_{1}$. Suppose among the $T=mK$ databases, ${T}_{1}\le (m-1)K$ databases are from the first K database groups and the remaining $T-{T}_{1}$ databases are from the $(K+1)\mathrm{th}$ database group. The ${T}_{1}$ databases from the first K database groups contribute ${T}_{1}$ raw message symbols from ${\mathbf{W}}_{1}$, then we only need to show that the remaining $T-{T}_{1}$ symbols from ${\mathbf{W}}_{1}$ can be recovered from the $T-{T}_{1}$ databases of the $(K+1)\mathrm{th}$ database group. This is equivalent to prove that a $(T-{T}_{1})\times (T-{T}_{1})$ sub-matrix of the Cauchy matrix $\mathbf{C}\in {\mathbb{F}}_{q}^{m\times mK}$ has full rank, which trivially holds for any Cauchy matrix.

PIR code: When we retrieve ${W}^{k}$, the answers are shown in Table 11.

Correctness and privacy: Privacy follows from the observation that no matter which message is desired, the answer from any database is equally likely to come from Message Segment 1 or 2. To see the correctness, note that all non-desired message symbols appeared in answers from the $(K+1)\mathrm{th}$ database group are directly downloaded, and thus, they can be canceled. m desired symbols are directly downloaded, and the other m desired symbols can be successfully recovered because the m linear combinations of desired symbols downloaded from the $(K+1)\mathrm{th}$ database group have full rank (note that $\mathbf{C}\in {\mathbb{F}}_{q}^{m\times mK}$ is a Cauchy matrix). The rate achieved is $\frac{2}{K+1}$ as $L=2m$, and we have downloaded one symbol from each of the $m(K+1)$ databases.

#### 5.2. From $(2,N,2)$ to $(2,mN,2m)$ Systems

We show that $C(2,mN,2m)>{C}_{\perp}(2,mN,2m)$, where $N\ge 3$ and m is a positive integer. Similar to the reasoning in the previous section, it suffices to provide a joint MDS storage code for a $(2,mN,2m)$ system that achieves the PIR rate $\frac{N-1}{N}$ (same as that of a $(2,N,2)$ system from Section 4). The idea is also based on splitting the messages and databases. Let us start with an example where $N=4,m=2$.

#### 5.2.1. Example: $N=4,m=2$

The message size is multiplied by $m=2$ so that we set $L=m(N-1)=6$, and each message consisted of six symbols from ${\mathbb{F}}_{q}$, where q will be specified later. At this point, it is useful to view q as a sufficiently large prime number. Denote ${W}^{1}=({\mathbf{a}}_{0};{\mathbf{a}}_{1};{\mathbf{a}}_{2})$, where ${\mathbf{a}}_{i}=({a}_{i};{a}_{i}^{\prime}),i\in \{0,1,2\}$ and ${W}^{2}=({\mathbf{b}}_{0};{\mathbf{b}}_{1};{\mathbf{b}}_{2})$, where ${\mathbf{b}}_{i}=({b}_{i};{b}_{i}^{\prime}),i\in \{0,1,2\}$.

Storage code: Each database stores $\frac{LK}{T}=3$ symbols, as specified in Table 12. Define:

$$\begin{array}{c}\hfill {\mathbf{h}}_{i}=({h}_{i},{h}_{i}^{\prime})\in {\mathbb{F}}_{q}^{1\times 2},{\mathbf{g}}_{i}=({g}_{i},{g}_{i}^{\prime})\in {\mathbb{F}}_{q}^{1\times 2},i\in \{1,2,\cdots ,12\}.\end{array}$$

We will show that there exist feasible choices of ${\mathbf{h}}_{i},{\mathbf{g}}_{i}$. Specifically, we may choose ${h}_{i},{h}_{i}^{\prime},{g}_{i},{g}_{i}^{\prime}$ i.i.d. and uniform over ${\mathbb{F}}_{q}$.

To verify the MDS storage criterion, we need to show that both messages can be recovered from the storage of any four databases. The detailed proof is deferred to the general proof presented in the next section, and we give a sketch here. Every four databases contributes 12 linear combinations on the 12 message symbols, and this linear mapping is given by a $12\times 12$ matrix. We view its determinant polynomial as a function of variables $({h}_{i},{h}_{i}^{\prime},{g}_{i},{g}_{i}^{\prime})$. As shown in the general proof, these determinant polynomials are not zero polynomials. Overall, we have $\left(\genfrac{}{}{0pt}{}{8}{4}\right)$ determinant polynomials, and each polynomial has degree at most 12. Consider the product of all such determinant polynomials, which is another polynomial with degree at most $12\times \left(\genfrac{}{}{0pt}{}{8}{4}\right)$. Therefore, by the Schwartz–Zippel lemma, if we set $q>12\times \left(\genfrac{}{}{0pt}{}{8}{4}\right)$, then the probability that this product polynomial evaluates to zero is non-zero. In other words, we found a feasible choice of $({h}_{i},{h}_{i}^{\prime},{g}_{i},{g}_{i}^{\prime})$ that guarantees the storage code satisfies the MDS criterion.

PIR code: The PIR code is almost identical to that when $m=1$. When we retrieve ${W}^{1}$, the answers are shown in Table 13.

When we retrieve ${W}^{2}$, the answers are shown in Table 14.

Correctness and privacy: Privacy is easily seen. To prove correctness, note that non-desired symbols can be canceled, and we only need to ensure the received desired equations are invertible to the message symbols. This claim follows from Schwartz–Zippel lemma that shows that $({\mathbf{h}}_{2i-1};{\mathbf{h}}_{2i})\in {\mathbb{F}}_{q}^{2\times 2},({\mathbf{g}}_{2i-1};{\mathbf{g}}_{2i})\in {\mathbb{F}}_{q}^{2\times 2}$ have full rank with non-zero probability over a sufficiently large field. Here, we have 12 matrices, each of which has dimension $2\times 2$ and has a determinant polynomial of degree at most two.

Overall, we need to guarantee the correctness and MDS criterion are simultaneously satisfied. Take the product of all determinant polynomials, whose degree is at most $12\times \left(\genfrac{}{}{0pt}{}{8}{4}\right)+12\times 2$. Therefore, we set $q>12\times \left(\genfrac{}{}{0pt}{}{8}{4}\right)+12\times 2$, and by Schwartz–Zippel lemma, there exist a feasible choice of $({h}_{i},{h}_{i}^{\prime},{g}_{i},{g}_{i}^{\prime})$ over ${\mathbb{F}}_{q}$.

#### 5.2.2. General Proof: Arbitrary $N\ge 3,m\ge 2$

We set $L=m(N-1)$, and each message consisted of L symbols from ${\mathbb{F}}_{q}$, where q is an integer power of a prime number and is no fewer than $2m(N-2)(N-1)+2m(N-1)\left(\genfrac{}{}{0pt}{}{mN}{2m}\right)$. Denote ${W}^{1}=({\mathbf{a}}_{0};\cdots ;{\mathbf{a}}_{N-2})\in {\mathbb{F}}_{q}^{m(N-1)\times 1}$, where ${\mathbf{a}}_{i}=({a}_{i,1};\cdots ;{a}_{i,m})\in {\mathbb{F}}_{q}^{m\times 1},i\in \{0,1,\cdots ,N-2\}$ and ${W}^{2}=({\mathbf{b}}_{0};\cdots ;{\mathbf{b}}_{N-2})\in {\mathbb{F}}_{q}^{m(N-1)\times 1}$, where ${\mathbf{b}}_{i}=({b}_{i,1};\cdots ;{b}_{i,m})\in {\mathbb{F}}_{q}^{m\times 1},i\in \{0,1,\cdots ,N-2\}$.

Storage code: Each database stores $\frac{LK}{T}=N-1$ symbols. Denote the $mN$ databases as $DB(1,1),\cdots ,DB(1,m),\cdots ,DB(N,m)$. The stored variables ${S}_{n,j}\in {\mathbb{F}}_{q}^{(N-1)\times 1},n\in \{1,\cdots ,N\}$, $j\in \{1,\cdots ,m\}$ are set as follows.

Denote $\overline{i}=i\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}(N-1)$. For any $j\in \{1,\cdots ,m\}$,
where for any $i\in \{0,\cdots ,N-2\}$,
The proof that there exist choices of ${\mathbf{h}}_{n,j,i},{\mathbf{g}}_{n,j,i}$ such that the above storage code satisfies the MDS criterion is deferred to Section 5.2.3.

$$\begin{array}{cc}\hfill {S}_{1,j}& =({S}_{1,j,0};\cdots ;{S}_{1,j,N-2})=({a}_{0,j};{a}_{1,j};\cdots ;{a}_{N-2,j})\hfill \end{array}$$

$$\begin{array}{cc}\hfill {S}_{2,j}& =({S}_{2,j,0};\cdots ;{S}_{2,j,N-2})=({b}_{0,j};{b}_{1,j};\cdots ;{b}_{N-2,j})\hfill \\ \hfill {S}_{n,j}& =({S}_{n,j,0};\cdots ;{S}_{n,j,N-2})=({\mathbf{h}}_{n,j,0}{\mathbf{a}}_{\overline{n-2}}+{\mathbf{g}}_{n,j,0}{\mathbf{b}}_{0};\cdots ;{\mathbf{h}}_{n,j,N-2}{\mathbf{a}}_{\overline{n+N-4}}+{\mathbf{g}}_{n,j,N-2}{\mathbf{b}}_{N-2}),\hfill \end{array}$$

$$\begin{array}{c}n\in \{3,\cdots ,N\}\hfill \end{array}$$

$$\begin{array}{c}\hfill {\mathbf{h}}_{n,j,i}\in {\mathbb{F}}_{q}^{1\times m},{\mathbf{g}}_{n,j,i}\in {\mathbb{F}}_{q}^{1\times m}.\end{array}$$

PIR code: When we retrieve ${W}^{1}$, we download one symbol from each database, and the answers are set as follows. $\mathsf{F}$ is uniform over $\{0,1,\cdots ,N-2\}$. When $\mathsf{F}=f\in \{0,1,\cdots ,N-2\}$, for any $j\in \{1,2,\cdots ,m\}$, we set:

$$\begin{array}{c}{A}_{1,j}^{[1]}={S}_{1,j,f}={a}_{f,j}\hfill \end{array}$$

$$\begin{array}{c}{A}_{2,j}^{[1]}={S}_{2,j,f}={b}_{f,j}\hfill \end{array}$$

$$\begin{array}{c}{A}_{n,j}^{[1]}={S}_{n,j,f}={\mathbf{h}}_{n,j,f}{\mathbf{a}}_{\overline{f+n-2}}+{\mathbf{g}}_{n,j,f}{\mathbf{b}}_{f},n\in \{3,\cdots ,N\}\hfill \end{array}$$

When we retrieve ${W}^{2}$, the answers are set as follows. $\mathsf{F}$ is uniform over $\{0,1,\cdots ,N-2\}$. When $\mathsf{F}=f\in \{0,1,\cdots ,N-2\}$, for any $j\in \{1,2,\cdots ,m\}$, we set:

$$\begin{array}{c}{A}_{1,j}^{[2]}={S}_{1,j,f}={a}_{f,j}\hfill \end{array}$$

$$\begin{array}{c}{A}_{2,j}^{[2]}={S}_{2,j,f}={b}_{f,j}\hfill \end{array}$$

$$\begin{array}{c}{A}_{n,j}^{[2]}={S}_{n,j,\overline{f-(n-2)}}={\mathbf{h}}_{n,j,\overline{f-(n-2)}}{\mathbf{a}}_{f}+{\mathbf{g}}_{n,j,\overline{f-(n-2)}}{\mathbf{b}}_{\overline{f-(n-2)}},n\in \{3,\cdots ,N\}\hfill \end{array}$$

Correctness and privacy: Privacy is easy to verify. For any $n,j$, ${A}_{n,j}^{[1]}$ and ${A}_{n,j}^{[2]}$ are identically distributed due to the modulo operation. Next, consider correctness. Due to symmetry, we only need to consider the case when ${W}^{1}$ is the desired message. From ${A}_{2,j}^{[1]},\forall j\in \{1,\cdots ,m\}$, we have obtained all non-desired symbols $({b}_{f,1};\cdots ;{b}_{f,m})={\mathbf{b}}_{f}$. After canceling the contribution of ${\mathbf{b}}_{f}$ from ${A}_{n,j}^{[1]},n\ge 3$, we need to show that for any $n,f$, the $m\times m$ matrix $({\mathbf{h}}_{n,1,f};\cdots ;{\mathbf{h}}_{n,m,f})$ has full rank, which follows from the Schwartz–Zippel lemma over a sufficiently large field. We have $2(N-2)(N-1)$ such matrices, each of size $m\times m$. The product of all these determinant polynomials has degree at most $2m(N-2)(N-1)$.

#### 5.2.3. Proof of the MDS Storage Criterion

We show that when each element of ${\mathbf{h}}_{n,j,i},{\mathbf{g}}_{n,j,i}$ is drawn independently and uniformly from ${\mathbb{F}}_{q}$; the probability that the MDS criterion is satisfied is non-zero, so that there exists a feasible choice.

Consider any $T=2m$ databases. We show that there exists an assignment of ${\mathbf{h}}_{n,j,i},{\mathbf{g}}_{n,j,i}$ so that the mapping from the storage of the T databases to the $2L$ message symbols is invertible. This shows that the $2L\times 2L$ matrix that describes the linear mapping has a non-zero determinant polynomial. Consider all choices of $\left(\genfrac{}{}{0pt}{}{mN}{2m}\right)$ databases, and take the product of all such determinant polynomials. Each polynomial has degree at most $2L$, so the degree of the product polynomial is at most $2L\left(\genfrac{}{}{0pt}{}{mN}{2m}\right)$. Therefore, over a sufficiently large field, by the Schwartz–Zippel lemma, there exists a choice of ${\mathbf{h}}_{n,j,i},{\mathbf{g}}_{n,j,i}$ so that all polynomials evaluate to non-zero values, and the storage code is indeed MDS.

We are left to show that for any $T=2m$ databases, we may assign ${\mathbf{h}}_{n,j,i},{\mathbf{g}}_{n,j,i}$ (for a given choice of $T=2m$ databases) so that the storage is able to recover all $2L$ message symbols. The proof is based on a crucial property, stated in the following lemma. Define ${\overrightarrow{a}}_{j}=({a}_{0,j};{a}_{1,j};\cdots ;{a}_{N-2,j})$, ${\overrightarrow{b}}_{j}=({b}_{0,j};{b}_{1,j};\cdots ;{b}_{N-2,j}),j\in \{1,\cdots ,m\}$.

**Lemma**

**1.**

Consider any $n\in \{3,\cdots ,N\},j\in \{1,\cdots ,m\}$; there exists a choice of ${\mathbf{h}}_{n,j,i},{\mathbf{g}}_{n,j,i},i\in \{0,1,\cdots ,N-2\}$ so that from ${S}_{n,j}$, we may obtain ${\overrightarrow{a}}_{{j}^{*}}$ for any ${j}^{*}\in \{1,\cdots ,m\}$ and another choice of ${\mathbf{h}}_{n,j,i},{\mathbf{g}}_{n,j,i},i\in \{0,1,\cdots ,N-2\}$ so that from ${S}_{n,j}$, we may obtain ${\overrightarrow{b}}_{{j}^{*}}$ for any ${j}^{*}\in \{1,\cdots ,m\}$.

**Proof**

**of**

**Lemma**

**1.**

The proof is fairly simple because ${S}_{n,j}$ contains all symbols from ${\overrightarrow{a}}_{{j}^{*}}$ and ${\overrightarrow{b}}_{{j}^{*}}$ for any ${j}^{*}$. Consider first ${S}_{n,j}={\overrightarrow{a}}_{{j}^{*}}$. For all $i\in \{0,1,\cdots ,N-2\}$, set:
where ${\mathbf{e}}_{{j}^{*}}$ is a $1\times m$ unit vector so that only the element of the ${j}^{*}$-th position is one and all other elements are zero, then we have:
which is a cyclic shift of ${\overrightarrow{a}}_{{j}^{*}}=({a}_{0,{j}^{*}};{a}_{1,{j}^{*}};\cdots ;{a}_{N-2,{j}^{*}})$.

$$\begin{array}{cc}\hfill {\mathbf{g}}_{n,j,i}& =\mathbf{0}\hfill \end{array}$$

$$\begin{array}{cc}\hfill {\mathbf{h}}_{n,j,i}& ={\mathbf{e}}_{{j}^{*}}\hfill \end{array}$$

$$\begin{array}{cc}\hfill {S}_{n,j}& =({S}_{n,j,0};\cdots ;{S}_{n,j,N-2})=({\mathbf{h}}_{n,j,0}{\mathbf{a}}_{\overline{n-2}}+{\mathbf{g}}_{n,j,0}{\mathbf{b}}_{0};\cdots ;{\mathbf{h}}_{n,j,N-2}{\mathbf{a}}_{\overline{n+N-4}}+{\mathbf{g}}_{n,j,N-2}{\mathbf{b}}_{N-2})\hfill \end{array}$$

$$\begin{array}{c}=({\mathbf{h}}_{n,j,0}{\mathbf{a}}_{\overline{n-2}};\cdots ;{\mathbf{h}}_{n,j,N-2}{\mathbf{a}}_{\overline{n+N-4}})\hfill \end{array}$$

$$\begin{array}{c}=({a}_{\overline{n-2},{j}^{*}};\cdots ;{a}_{\overline{n+N-4},{j}^{*}})\hfill \end{array}$$

The case of ${S}_{n,j}={\overrightarrow{b}}_{{j}^{*}}$ follows similarly from the assignment given above. □

Fix any $T=2m$ databases. Suppose ${T}_{1}\le 2m$ databases are from $DB(i,j)$ where $i\in \{1,2\}$, $j\in \{1,\cdots ,m\}$ and they will contribute ${T}_{1}$ distinct ${\overrightarrow{a}}_{{j}_{1}^{*}}$ and ${\overrightarrow{b}}_{{j}_{2}^{*}}$ vectors. The remaining $T-{T}_{1}$ databases are from $DB(n,j)$ where $n\in \{3,\cdots ,N\},j\in \{1,\cdots ,m\}$, and our goal is to recover all remaining $T-{T}_{1}$${\overrightarrow{a}}_{{j}_{3}^{*}}$ and ${\overrightarrow{b}}_{{j}_{4}^{*}}$ vectors. We can identify a one-to-one mapping between the $T-{T}_{1}$ databases and the remaining $(T-{T}_{1}){\overrightarrow{a}}_{{j}_{3}^{*}}$ and ${\overrightarrow{b}}_{{j}_{4}^{*}}$ vectors and apply Lemma 1 to find the assignment such that the ${\overrightarrow{a}}_{{j}_{3}^{*}}$ and ${\overrightarrow{b}}_{{j}_{4}^{*}}$ vectors are fully recovered. Hence, from any T databases, we may recover $({\overrightarrow{a}}_{1},\cdots ,{\overrightarrow{a}}_{m})$ and $({\overrightarrow{b}}_{1},\cdots ,{\overrightarrow{b}}_{m})$, i.e., all symbols from ${W}^{1}$ and ${W}^{2}$. Therefore, there indeed exists a choice of ${\mathbf{h}}_{n,j,i},{\mathbf{g}}_{n,j,i}$ for which the determinant polynomial is not zero.

Finally, we need to consider the correctness and MDS criterion jointly and show that there exists a single choice of ${\mathbf{h}}_{n,j,i},{\mathbf{g}}_{n,j,i}$ that satisfies both constraints at the same time. The product of all determinant polynomials has degree at most $2m(N-2)(N-1)+2m(N-1)\left(\genfrac{}{}{0pt}{}{mN}{2m}\right)$, and as $q>2m(N-2)(N-1)+2m(N-1)\left(\genfrac{}{}{0pt}{}{mN}{2m}\right)$, the Schwartz-Zippel lemma guarantees the existence of a feasible choice.

## 6. Conclusions

We considered the problem of private information retrieval from MDS-coded databases. Different from the prevailing approach in the literature where the messages are encoded separately using MDS codes, we considered encoding and storing the messages jointly using an MDS code in the databases. There are many cases for which by jointly MDS-coding, we can break the capacity barrier of the separate coding MDS-PIR. To establish this result, two novel code constructions and the corresponding PIR protocols were presented, and moreover, an expansion technique was introduced to allow more general parameters. The capacity of PIR with joint MDS storage, especially the converse side, remains an interesting future direction.

References

## Author Contributions

The authors contribute equally to this work.

## Funding

The work of C. Tian was supported in part by the National Science Foundation under Grants CCF-18-32309 and CCF-18-16546.

## Conflicts of Interest

The authors declare no conflict of interest.

## References

- Chor, B.; Kushilevitz, E.; Goldreich, O.; Sudan, M. Private Information Retrieval. J. ACM (JACM)
**1998**, 45, 965–981. [Google Scholar] [CrossRef] - Sun, H.; Jafar, S.A. The capacity of private information retrieval. In Proceedings of the 2016 IEEE Global Communications Conference (GLOBECOM), Washington, DC, USA, 4–8 December 2016; pp. 1–6. [Google Scholar]
- Shah, N.B.; Rashmi, K.; Ramchandran, K. One extra bit of download ensures perfectly private information retrieval. In Proceedings of the 2014 IEEE International Symposium on Information Theory (ISIT), Honolulu, HI, USA, 29 June–4 July 2014; pp. 856–860. [Google Scholar]
- Freij-Hollanti, R.; Gnilke, O.W.; Hollanti, C.; Karpuk, D.A. Private information retrieval from coded databases with colluding servers. SIAM J. Appl. Algebra Geom.
**2017**, 1, 647–664. [Google Scholar] [CrossRef] - Banawan, K.; Ulukus, S. The capacity of private information retrieval from coded databases. IEEE Trans. Inf. Theory
**2018**, 64, 1945–1956. [Google Scholar] [CrossRef] - Tajeddine, R.; Rouayheb, S.E. Private Information Retrieval from MDS Coded Data in Distributed Storage Systems. arXiv
**2016**, arXiv:1602.01458. [Google Scholar] - Xu, J.; Zhang, Z. On Sub-Packetization and Access Number of Capacity-Achieving PIR Schemes for MDS Coded Non-Colluding Databases. Sci. China Inf. Sci.
**2018**, 61, 100306:1–100306:16. [Google Scholar] [CrossRef] - Kumar, S.; Lin, H.Y.; Rosnes, E.; i Amat, A.G. Achieving maximum distance separable private information retrieval capacity with linear codes. IEEE Trans. Inf. Theory
**2019**, 65, 4243–4273. [Google Scholar] [CrossRef] - Attia, M.A.; Kumar, D.; Tandon, R. The capacity of private information retrieval from uncoded storage constrained databases. arXiv
**2018**, arXiv:1805.04104. [Google Scholar] - Woolsey, N.; Chen, R.R.; Ji, M. An Optimal Iterative Placement Algorithm for PIR from Heterogeneous Storage-Constrained Databases. arXiv
**2019**, arXiv:1904.02131. [Google Scholar] - Banawan, K.; Arasli, B.; Wei, Y.P.; Ulukus, S. The Capacity of Private Information Retrieval from Heterogeneous Uncoded Caching Databases. arXiv
**2019**, arXiv:1902.09512. [Google Scholar] - Raviv, N.; Tamot, I. Private Information Retrieval in Graph Based Replication Systems. In Proceedings of the 2018 IEEE International Symposium on Information Theory (ISIT), Vail, CO, USA, 17–22 June 2018; pp. 1739–1743. [Google Scholar]
- Lin, H.Y.; Kumar, S.; Rosnes, E.; i Amat, A.G. On the fundamental limit of private information retrieval for coded distributed storage. arXiv
**2018**, arXiv:1808.09018. [Google Scholar] - Chan, T.H.; Ho, S.W.; Yamamoto, H. Private information retrieval for coded storage. In Proceedings of the 2015 IEEE International Symposium on Information Theory (ISIT), Hong Kong, China, 14–19 June 2015; pp. 2842–2846. [Google Scholar]
- Sun, H.; Jafar, S.A. Multiround private information retrieval: Capacity and storage overhead. IEEE Trans. Inf. Theory
**2018**, 64, 5743–5754. [Google Scholar] [CrossRef] - Tian, C.; Sun, H.; Chen, J. A Shannon-Theoretic Approach to the Storage-Retrieval Tradeoff in PIR Systems. In Proceedings of the 2018 IEEE International Symposium on Information Theory (ISIT), Vail, CO, USA, 17–22 June 2018; pp. 1904–1908. [Google Scholar]
- Fazeli, A.; Vardy, A.; Yaakobi, E. Codes for distributed PIR with low storage overhead. Proceedings of IEEE International Symposium on Information Theory (ISIT), Hong Kong, China, 14–19 June 2015; pp. 2852–2856. [Google Scholar]
- Rao, S.; Vardy, A. Lower Bound on the Redundancy of PIR Codes. arXiv
**2016**, arXiv:1605.01869. [Google Scholar] - Blackburn, S.R.; Etzion, T. PIR array codes with optimal virtual server rate. IEEE Trans. Inf. Theory
**2019**. [Google Scholar] [CrossRef] - Zhang, Y.; Wang, X.; Wei, H.; Ge, G. On private information retrieval array codes. IEEE Trans. Inf. Theory
**2019**, 65, 5565–5573. [Google Scholar] [CrossRef] - Skachek, V. Batch and PIR codes. In Network Coding and Subspace Designs; Springer: Berlin/Heidelberg, Germany, 2018; pp. 427–442. [Google Scholar]
- Vajha, M.; Ramkumar, V.; Kumar, P.V. Binary, shortened projective Reed Muller codes for coded private information retrieval. In Proceedings of the 2017 IEEE International Symposium on Information Theory (ISIT), Aachen, Germany, 25–30 June 2017; pp. 2648–2652. [Google Scholar]
- Tajeddine, R.; Gnilke, O.W.; El Rouayheb, S. Private information retrieval from MDS coded data in distributed storage systems. IEEE Trans. Inf. Theory
**2018**, 64, 7081–7093. [Google Scholar] [CrossRef] - Sun, H.; Jafar, S.A. Private Information Retrieval from MDS Coded Data with Colluding Servers: Settling a Conjecture by Freij-Hollanti et al. IEEE Trans. Inf. Theory
**2018**, 64, 1000–1022. [Google Scholar] [CrossRef] - Wang, Q.; Skoglund, M. Symmetric private information retrieval for MDS coded distributed storage. In Proceedings of the 2017 IEEE International Conference on Communications (ICC), Paris, France, 21–25 May 2017; pp. 1–6. [Google Scholar]
- Zhou, R.; Tian, C.; Liu, T.; Sun, H. Capacity-Achieving Private Information Retrieval Codes from MDS-Coded Databases with Minimum Message Size. In Proceedings of the 2019 IEEE International Symposium on Information Theory (ISIT), Paris, France, 7–12 July 2019; pp. 370–374. [Google Scholar]
- Ingleton, A.W. The rank of circulant matrices. J. Lond. Math. Soc.
**1956**, 1, 445–460. [Google Scholar] [CrossRef] - Lidl, R.; Niederreiter, H. Introduction to Finite Fields and Their Applications; Cambridge University Press: Cambridge, UK, 1994. [Google Scholar]
- Guan, P.H.; He, Y. Exact results for deterministic cellular automata with additive rules. J. Stat. Phys.
**1986**, 43, 463–478. [Google Scholar] [CrossRef]

Database 1 | Database 2 | Database 3 | Database 4 |
---|---|---|---|

${a}_{0}$ | ${b}_{0}$ | ${a}_{1}+{b}_{0}$ | $2{a}_{2}+{b}_{0}$ |

${a}_{1}$ | ${b}_{1}$ | ${a}_{2}+{b}_{1}$ | $2{a}_{0}+{b}_{1}$ |

${a}_{2}$ | ${b}_{2}$ | ${a}_{0}+{b}_{2}$ | $2{a}_{1}+{b}_{2}$ |

$\mathsf{F}$ | Database 1 | Database 2 | Database 3 | Database 4 |
---|---|---|---|---|

0 | ${a}_{0}$ | ${b}_{0}$ | ${a}_{1}+{b}_{0}$ | $2{a}_{2}+{b}_{0}$ |

1 | ${a}_{1}$ | ${b}_{1}$ | ${a}_{2}+{b}_{1}$ | $2{a}_{0}+{b}_{1}$ |

2 | ${a}_{2}$ | ${b}_{2}$ | ${a}_{0}+{b}_{2}$ | $2{a}_{1}+{b}_{2}$ |

$\mathsf{F}$ | Database 1 | Database 2 | Database 3 | Database 4 |
---|---|---|---|---|

0 | ${a}_{0}$ | ${b}_{0}$ | ${a}_{0}+{b}_{2}$ | $2{a}_{0}+{b}_{1}$ |

1 | ${a}_{1}$ | ${b}_{1}$ | ${a}_{1}+{b}_{0}$ | $2{a}_{1}+{b}_{2}$ |

2 | ${a}_{2}$ | ${b}_{2}$ | ${a}_{2}+{b}_{1}$ | $2{a}_{2}+{b}_{0}$ |

Database 1 | Database 2 | Database 3 | Database 4 |
---|---|---|---|

${a}_{1}$ | ${b}_{1}$ | ${c}_{1}$ | ${a}_{1}+{b}_{1}+{c}_{1}$ |

${a}_{2}$ | ${b}_{2}$ | ${c}_{2}$ | ${a}_{2}+{b}_{2}+{c}_{2}$ |

$\mathsf{F}$ | Database 1 | Database 2 | Database 3 | Database 4 |
---|---|---|---|---|

1 | ${a}_{2}$ | ${b}_{1}$ | ${c}_{1}$ | ${a}_{1}+{b}_{1}+{c}_{1}$ |

2 | ${a}_{1}$ | ${b}_{2}$ | ${c}_{2}$ | ${a}_{2}+{b}_{2}+{c}_{2}$ |

$\mathsf{F}$ | Database 1 | Database 2 | Database 3 | Database 4 |
---|---|---|---|---|

1 | ${a}_{1}$ | ${b}_{2}$ | ${c}_{1}$ | ${a}_{1}+{b}_{1}+{c}_{1}$ |

2 | ${a}_{2}$ | ${b}_{1}$ | ${c}_{2}$ | ${a}_{2}+{b}_{2}+{c}_{2}$ |

$\mathsf{F}$ | Database 1 | Database 2 | Database 3 | Database 4 |
---|---|---|---|---|

1 | ${a}_{1}$ | ${b}_{1}$ | ${c}_{2}$ | ${a}_{1}+{b}_{1}+{c}_{1}$ |

2 | ${a}_{2}$ | ${b}_{2}$ | ${c}_{1}$ | ${a}_{2}+{b}_{2}+{c}_{2}$ |

Database 1 | Database 2 | ⋯ | Database $(\mathit{N}-1)$ | Database N |
---|---|---|---|---|

${W}_{1}^{1}$ | ${W}_{1}^{2}$ | ⋯ | ${W}_{1}^{K}$ | ${\sum}_{k=1}^{K}{W}_{1}^{k}$ |

${W}_{2}^{1}$ | ${W}_{2}^{2}$ | ⋯ | ${W}_{2}^{K}$ | ${\sum}_{k=1}^{K}{W}_{2}^{k}$ |

$\mathsf{F}$ | Database 1 | ⋯ | Database k | ⋯ | Database $(\mathit{N}-1)$ | Database N |
---|---|---|---|---|---|---|

1 | ${W}_{1}^{1}$ | ⋯ | ${W}_{2}^{k}$ | ⋯ | ${W}_{1}^{K}$ | ${\sum}_{k=1}^{K}{W}_{1}^{k}$ |

2 | ${W}_{2}^{1}$ | ⋯ | ${W}_{1}^{k}$ | ⋯ | ${W}_{2}^{K}$ | ${\sum}_{k=1}^{K}{W}_{2}^{k}$ |

$\mathbf{DB}(1,:)$ | $\mathbf{DB}(2,:)$ | ⋯ | $\mathbf{DB}(\mathit{K},:)$ | $\mathbf{DB}(\mathit{K}+1,1)$ | ⋯ | $\mathbf{DB}(\mathit{K}+1,\mathit{m})$ |
---|---|---|---|---|---|---|

${\mathbf{W}}_{1}^{1}$ | ${\mathbf{W}}_{1}^{2}$ | ⋯ | ${\mathbf{W}}_{1}^{K}$ | $\mathbf{C}(1,:){\mathbf{W}}_{1}$ | ⋯ | $\mathbf{C}(m,:){\mathbf{W}}_{1}$ |

${\mathbf{W}}_{2}^{1}$ | ${\mathbf{W}}_{2}^{2}$ | ⋯ | ${\mathbf{W}}_{2}^{K}$ | $\mathbf{C}(1,:){\mathbf{W}}_{2}$ | ⋯ | $\mathbf{C}(m,:){\mathbf{W}}_{2}$ |

$\mathsf{F}$ | $\mathbf{DB}(1,:)$ | ⋯ | $\mathbf{DB}(\mathit{k},:)$ | ⋯ | $\mathbf{DB}(\mathit{K},:)$ | $\mathbf{DB}(\mathit{K}+1,1)$ | ⋯ | $\mathbf{DB}(\mathit{K}+1,\mathit{m})$ |
---|---|---|---|---|---|---|---|---|

1 | ${\mathbf{W}}_{1}^{1}$ | ⋯ | ${\mathbf{W}}_{2}^{k}$ | ⋯ | ${\mathbf{W}}_{1}^{K}$ | $\mathbf{C}(1,:){\mathbf{W}}_{1}$ | ⋯ | $\mathbf{C}(m,:){\mathbf{W}}_{1}$ |

2 | ${\mathbf{W}}_{2}^{1}$ | ⋯ | ${\mathbf{W}}_{1}^{k}$ | ⋯ | ${\mathbf{W}}_{2}^{K}$ | $\mathbf{C}(1,:){\mathbf{W}}_{2}$ | ⋯ | $\mathbf{C}(m,:){\mathbf{W}}_{2}$ |

(DB1, DB2) | (DB3, DB4) | (DB5, DB6) | (DB7, DB8) |
---|---|---|---|

$({a}_{0},{a}_{0}^{\prime})$ | $({b}_{0},{b}_{0}^{\prime})$ | $({\mathbf{h}}_{1}{\mathbf{a}}_{1}+{\mathbf{g}}_{1}{\mathbf{b}}_{0},{\mathbf{h}}_{2}{\mathbf{a}}_{1}+{\mathbf{g}}_{2}{\mathbf{b}}_{0})$ | $({\mathbf{h}}_{7}{\mathbf{a}}_{2}+{\mathbf{g}}_{7}{\mathbf{b}}_{0},{\mathbf{h}}_{8}{\mathbf{a}}_{2}+{\mathbf{g}}_{8}{\mathbf{b}}_{0})$ |

$({a}_{1},{a}_{1}^{\prime})$ | $({b}_{1},{b}_{1}^{\prime})$ | $({\mathbf{h}}_{3}{\mathbf{a}}_{2}+{\mathbf{g}}_{3}{\mathbf{b}}_{1},{\mathbf{h}}_{4}{\mathbf{a}}_{2}+{\mathbf{g}}_{4}{\mathbf{b}}_{1})$ | $({\mathbf{h}}_{9}{\mathbf{a}}_{0}+{\mathbf{g}}_{9}{\mathbf{b}}_{1},{\mathbf{h}}_{10}{\mathbf{a}}_{0}+{\mathbf{g}}_{10}{\mathbf{b}}_{1})$ |

$({a}_{2},{a}_{2}^{\prime})$ | $({b}_{2},{b}_{2}^{\prime})$ | $({\mathbf{h}}_{5}{\mathbf{a}}_{0}+{\mathbf{g}}_{5}{\mathbf{b}}_{2},{\mathbf{h}}_{6}{\mathbf{a}}_{0}+{\mathbf{g}}_{6}{\mathbf{b}}_{2})$ | $({\mathbf{h}}_{11}{\mathbf{a}}_{1}+{\mathbf{g}}_{11}{\mathbf{b}}_{2},{\mathbf{h}}_{12}{\mathbf{a}}_{1}+{\mathbf{g}}_{12}{\mathbf{b}}_{2})$ |

(DB1, DB2) | (DB3, DB4) | (DB5, DB6) | (DB7, DB8) |
---|---|---|---|

$({a}_{0},{a}_{0}^{\prime})$ | $({b}_{0},{b}_{0}^{\prime})$ | $({\mathbf{h}}_{1}{\mathbf{a}}_{1}+{\mathbf{g}}_{1}{\mathbf{b}}_{0},{\mathbf{h}}_{2}{\mathbf{a}}_{1}+{\mathbf{g}}_{2}{\mathbf{b}}_{0})$ | $({\mathbf{h}}_{7}{\mathbf{a}}_{2}+{\mathbf{g}}_{7}{\mathbf{b}}_{0},{\mathbf{h}}_{8}{\mathbf{a}}_{2}+{\mathbf{g}}_{8}{\mathbf{b}}_{0})$ |

$({a}_{1},{a}_{1}^{\prime})$ | $({b}_{1},{b}_{1}^{\prime})$ | $({\mathbf{h}}_{3}{\mathbf{a}}_{2}+{\mathbf{g}}_{3}{\mathbf{b}}_{1},{\mathbf{h}}_{4}{\mathbf{a}}_{2}+{\mathbf{g}}_{4}{\mathbf{b}}_{1})$ | $({\mathbf{h}}_{9}{\mathbf{a}}_{0}+{\mathbf{g}}_{9}{\mathbf{b}}_{1},{\mathbf{h}}_{10}{\mathbf{a}}_{0}+{\mathbf{g}}_{10}{\mathbf{b}}_{1})$ |

$({a}_{2},{a}_{2}^{\prime})$ | $({b}_{2},{b}_{2}^{\prime})$ | $({\mathbf{h}}_{5}{\mathbf{a}}_{0}+{\mathbf{g}}_{5}{\mathbf{b}}_{2},{\mathbf{h}}_{6}{\mathbf{a}}_{0}+{\mathbf{g}}_{6}{\mathbf{b}}_{2})$ | $({\mathbf{h}}_{11}{\mathbf{a}}_{1}+{\mathbf{g}}_{11}{\mathbf{b}}_{2},{\mathbf{h}}_{12}{\mathbf{a}}_{1}+{\mathbf{g}}_{12}{\mathbf{b}}_{2})$ |

(DB1, DB2) | (DB3, DB4) | (DB5, DB6) | (DB7, DB8) |
---|---|---|---|

$({a}_{0},{a}_{0}^{\prime})$ | $({b}_{0},{b}_{0}^{\prime})$ | $({\mathbf{h}}_{5}{\mathbf{a}}_{0}+{\mathbf{g}}_{5}{\mathbf{b}}_{2},{\mathbf{h}}_{6}{\mathbf{a}}_{0}+{\mathbf{g}}_{6}{\mathbf{b}}_{2})$ | $({\mathbf{h}}_{9}{\mathbf{a}}_{0}+{\mathbf{g}}_{9}{\mathbf{b}}_{1},{\mathbf{h}}_{10}{\mathbf{a}}_{0}+{\mathbf{g}}_{10}{\mathbf{b}}_{1})$ |

$({a}_{1},{a}_{1}^{\prime})$ | $({b}_{1},{b}_{1}^{\prime})$ | $({\mathbf{h}}_{1}{\mathbf{a}}_{1}+{\mathbf{g}}_{1}{\mathbf{b}}_{0},{\mathbf{h}}_{2}{\mathbf{a}}_{1}+{\mathbf{g}}_{2}{\mathbf{b}}_{0})$ | $({\mathbf{h}}_{11}{\mathbf{a}}_{1}+{\mathbf{g}}_{11}{\mathbf{b}}_{2},{\mathbf{h}}_{12}{\mathbf{a}}_{1}+{\mathbf{g}}_{12}{\mathbf{b}}_{2})$ |

$({a}_{2},{a}_{2}^{\prime})$ | $({b}_{2},{b}_{2}^{\prime})$ | $({\mathbf{h}}_{3}{\mathbf{a}}_{2}+{\mathbf{g}}_{3}{\mathbf{b}}_{1},{\mathbf{h}}_{4}{\mathbf{a}}_{2}+{\mathbf{g}}_{4}{\mathbf{b}}_{1})$ | $({\mathbf{h}}_{7}{\mathbf{a}}_{2}+{\mathbf{g}}_{7}{\mathbf{b}}_{0},{\mathbf{h}}_{8}{\mathbf{a}}_{2}+{\mathbf{g}}_{8}{\mathbf{b}}_{0})$ |

© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).