Double Blind $T$-Private Information Retrieval

Double blind $T$-private information retrieval (DB-TPIR) enables two users, each of whom privately generates a random index ($\theta_1, \theta_2$, resp.), to efficiently retrieve a message $W(\theta_1,\theta_2)$ labeled by the two indices, from a set of $N$ servers that store all messages $W(k_1,k_2), k_1\in\{1,2,\cdots,K_1\}, k_2\in\{1,2,\cdots,K_2\}$, such that the two users' indices are kept private from any set of up to $T_1,T_2$ colluding servers, respectively, as well as from each other. A DB-TPIR scheme based on cross-subspace alignment is proposed in this paper, and shown to be capacity-achieving in the asymptotic setting of large number of messages and bounded latency. The scheme is then extended to $M$-way blind $X$-secure $T$-private information retrieval (MB-XSTPIR) with multiple ($M$) indices, each generated privately by a different user, arbitrary privacy levels for each index ($T_1, T_2,\cdots, T_M$), and arbitrary level of security ($X$) of data storage, so that the message $W(\theta_1,\theta_2,\cdots, \theta_M)$ can be efficiently retrieved while the stored data is held secure against collusion among up to $X$ colluding servers, the $m^{th}$ user's index is private against collusion among up to $T_m$ servers, and each user's index $\theta_m$ is private from all other users. The general scheme relies on a tensor-product based extension of cross-subspace alignment and retrieves $1-(X+T_1+\cdots+T_M)/N$ bits of desired message per bit of download.


I. INTRODUCTION
Data privacy and security are among the biggest challenges of the modern information age. Driven by these challenges there is much interest in the building blocks (primitives) of privacy/security preserving schemes, such as secret sharing [1], oblivious transfer [2], private information retrieval (PIR) [3], [4], secure multiparty computation (MPC) [5]- [7], and private simultaneous messages (PSM) [8]. Understanding the fundamental limits of each of these building blocks is the key to understanding the scope of their potential applications. The focus of this work is on private information retrieval (PIR).
The main contribution of this work is a cross-subspace alignment based scheme for MB-XSTPIR. In order to introduce the scheme in a more transparent setting, our initial focus is on DB-TPIR, i.e., the double-blind setting (M = 2) with T -private user indices (T 1 , T 2 , resp.) and replicated data storage, initially with no data-security, i.e., X = 0.
This basic setting allows us to convey the main ideas behind the construction of the scheme and also to explore its optimality. Specifically, for the DB-TPIR problem we propose a scheme based on cross-subspace alignment [54] which allows the retrieval of 1 − (T 1 + T 2 )/N bits of desired message per bit of download, regardless of the number of messages. By noting connections between this problem and X-secure T -private information retrieval (XSTPIR) [29] we show that 1 − (T 1 + T 2 )/N is also the asymptotic capacity of DB-TPIR as the number of messages approaches infinity, provided that the number of bits of each message that are jointly encoded is bounded (say, due to latency constraints). Server 1: W · · · Server n: W · · · Server N : W User 1 With the insights obtained from DB-TPIR, we are then able to fully generalize our achievable scheme to MB-XSTPIR, i.e., M-way blind X-secure T -private information retrieval (MB-XSTPIR) with multiple (M) indices, each generated privately by a different user, arbitrary privacy levels for each index (T 1 , T 2 , · · · , T M ), and arbitrary level of security (X) of data storage, so that the message W (θ 1 , θ 2 , · · · , θ M ) can be efficiently retrieved by the users while the stored data is held secure against collusion among up to X colluding servers, the m th user's index is private against collusion among up to T m servers, and each user's index θ m is private from all other users. The general setting is based on an M-way tensor-product extension of cross-subspace alignment codes, and retrieves 1 − (X + T 1 + · · · + T M )/N bits of desired message per bit of download. This generalizes the known asymptotically (large number of messages) optimal schemes for various special cases of MB-XSTPIR including DB-TPIR (M = 2, X = 0) and XSTPIR (M = 1) [29] (which automatically recovers asymptotically optimal schemes for TPIR (X = 0, M = 1) [11] and PIR (X = 0, M = 1, T 1 = 1) [10] as well). In fact, the achievable scheme for MB-XSTPIR also satisfies symmetric-privacy, i.e., the users learn nothing about the database or each others' indices, beyond the desired message. Therefore, it also yields symmetrically private schemes as special cases. For example, the general MB-XSTPIR scheme yields a capacity achieving scheme for Symmetric XSTPIR (M = 1) [57], STPIR (M = 1, X = 0, Symmetric Privacy) [22] and SPIR (M = 1, X = 0, T 1 = 1) as well. Based on all these observations, we conjecture that the general MB-XSTPIR scheme is also asymptotically optimal.
In order to compare the new scheme with state of art, a natural baseline is obtained from [56] where a secure multiparty computation (MPC) scheme is constructed based on symmetric-PIR (SPIR) as a building block. This construction can be naturally generalized to a DBPIR scheme. Intuitively, this construction is based on a partitioning of N servers into √ N groups of √ N servers each, such that within each sub-group the SPIR scheme is executed for one user, while across sub-groups the SPIR scheme is executed for the other user. However, even with the most efficient SPIR scheme as the building block, the rate of this construction for DBPIR is 1 − 1/ √ N 2 , which is strictly smaller than the rate 1 − 2/N achieved by our asymptotically optimal scheme. This is because crosssubspace alignment allows us to avoid the 2-way partitioning of servers and is able to gain significant efficiency by jointly exploiting all servers. For example, with N = 4 servers, the partitioning based approach achieves a rate of 1 − 1/ √ N 2 = 1/4, while the new scheme achieves a 100% higher rate of 1 − 2/N = 1/2 due to cross-subspace alignment.
This paper is organized as follows. Section II formalizes the general MB-XSTPIR problem. Section III states the main results of this paper in the form of two theorems.
Their proofs are presented in Section IV and Section V. Section VI concludes the paper.
Notation: For any two integers a, b such that a ≤ b, let [a : b] denote the set {a, a + 1, · · · , b}. Let X [a:b] denote the set {X a , X a+1 , · · · , X b }. For any index set I = {i 1 , i 2 , · · · , i n }, X I denotes the set {X i 1 , X i 2 , · · · , X in }. For two vectors A and B, A ⊥ ⊥ B denotes that they are linearly independent. The notation A ′ denotes the transpose of A, and A(i) denotes the i th entry of A. For an n-dimensional tensor C, the notation C(i 1 , i 2 , · · · , i n ) represents the entry at the corresponding position of C. If C is a two-dimensional tensor, then it is a matrix and C(i 1 , i 2 ) denotes the (i 1 , i 2 ) th entry of matrix C. The notation (x) + denotes max(x, 0).

II. PROBLEM STATEMENT: MB-XSTPIR
Consider a database W comprised of K = K 1 K 2 · · · K M messages, indexed as Each message consists of a stream of i.i.d. uniform symbols drawn from a finite field F q . The stream of symbols implies that the message lengths are unbounded (a standard assumption in information theory). However, we are interested primarily in bounded-latency MB-XSTPIR schemes, i.e., schemes that code over a bounded number of symbols, say L symbols, of each message. By bounded L, we mean that L is O(1) in the parameters K 1 , K 2 , · · · , K M . In other words, the number of symbols that are jointly encoded by the MB-XSTPIR scheme is bounded even as the number of messages approaches infinity. This assumption is important in practice, especially for streaming or dynamic data, because the number of symbols that are coded together determines the coding delay for streaming data. To our knowledge, for all PIR settings where the asymptotic (large number of messages) capacity is known, it is achieved by boundedlatency schemes [26]. So we do not expect the bounded latency assumption to affect the asymptotic capacity of MB-XSTPIR. But it will be a useful assumption for converse arguments for the special case of DB-TPIR (Double Blind T -PIR). Another issue worth clarifying is that even though L is bounded while the number of messages is allowed to be much larger, the downloads still dominate the communication cost because the same queries can be re-used repeatedly to download the unbounded desired message stream, L symbols at a time.
Under the bounded latency assumption, without loss of generality we will assume that each message has length L symbols. In q-ary units, The database W is stored at N distributed servers according to an X-secure storage scheme. Let the storage at the n th server be denoted by S n , n ∈ [1 : N]. An X-secure storage scheme ensures that any set of up to X colluding servers cannot learn anything about the database W. [X-Security] The setting X = 0 corresponds to replicated storage, where we set S n = W, ∀n ∈ To this end, we assume each user m has his own private randomness Z m . The N servers share 2 common randomness Z that is not available to the users. The independence among these entities is formalized as follows.
In order to retrieve the desired message, User m generates N queries Q The corresponding queries from all M users, (Q 2 We need common randomness at the servers only to ensure perfect inter-user privacy, as in (9). Remarkably, almost-perfect inter-user privacy can be guaranteed (for large messages) even without common randomness at servers (see Corollary 2).
The privacy constraints consist of two parts.
1) (T m )-Privacy. This means that any T m or fewer servers have no knowledge about θ m , 2) Inter-user Privacy. This means that any user must learn nothing about other users' indices.
With the answers from the N servers, each user must be able to recover the desired message. [Correctness] Recall that the rate of a PIR scheme is the number of bits of desired message that can be retrieved per bit of total download. Therefore, if D is the maximum number of qary symbols downloaded from all servers by a user, under an MB-XSTPIR scheme that allows the user to retrieve L q-ary symbols of the desired message, then the rate of such a scheme is denoted as, The main contribution of this work is an achievable scheme for MB-XSTPIR that is based on cross-subspace alignment, and achieves the rate 1 − (X + T 1 + · · · + T M )/N, for arbitrary number of messages K 1 , K 2 , · · · , K M . Note that the scheme itself is not limited to asymptotic settings. Asymptotic settings will be of interest primarily for the purpose of testing the optimality of the scheme for significant special cases.
In order to introduce the scheme in a transparent setting, and to gain deeper insights into its optimality, we focus in particular on Double Blind T -PIR (DB-TPIR), which is obtained as a special case of MB-XSTPIR by setting M = 2, X = 0. Given q, L, N, K 1 , K 2 , T 1 , T 2 let us denote the supremum of rates achievable by any DB-TPIR scheme with these parameters as R * DB-TPIR (q, L, N, K 1 , K 2 , T 1 , T 2 ). Specifically, from the optimality perspective, we are interested in the asymptotic capacity of DB-TPIR as Under the bounded latency (b.l.) constraint, this asymptotic capacity is defined 3 as In plain words, C ∞,b.l. DB-TPIR (N, T 1 , T 2 ) is the highest rate possible for any DB-TPIR scheme when the number of messages is much larger than the number of bits of each message that are jointly encoded by the scheme.
Remark: Note that the bounded-latency constraint affects the order in which the supremum is taken over message size parameters (q, L) versus the limit on the number of messages (K 1 , K 2 ). Without the bounded latency constraint, the asymptotic capacity as the number of messages approaches infinity, would be defined as Comparing (14) with (13), we note the key difference is that in (14), the supremum over message size (q, L) allows message sizes to approach infinty for a fixed number of messages, and only then the number of messages approaches infinity, whereas in (13) it is the number of messages (K 1 , K 2 ) that approaches infinity first for a given message size (q, L are bounded, i.e., O(1) in K 1 , K 2 ), and only then the size of the message is allowed to grow. In a nutshell, (14) corresponds to asymptotic settings with q L ≫ K 1 , K 2 , while (13) corresponds to asymptotic settings with q L ≪ K 1 , K 2 , thus prioritizing coding latency.

III. RESULTS
We begin with the asymptotic capacity characterization of DB-TPIR under the boundedlatency constraint. 3 For a double sequence s(K1, K2), the notation limK 1 ,K 2 →∞ s(K1, K2) = a means that ∀ǫ > 0, ∃κ = κ(ǫ) such that [58]). It follows from Theorem 4.2 in [58] that the double limit limK 1 ,K 2 →∞ R * DB-TPIR exists. This is because R * DB-TPIR is a decreasing sequence in each of K1 and K2 parameters individually (because any scheme that works with more messages also works with fewer messages), and is bounded below by zero. It also follows from Theorem 4.2 in [58] that

Theorem 1. The asymptotic capacity of DB-TPIR subject to bounded-latency constraint is
The proof of Theorem 1 is presented in Section IV. Notably, the achievability of the rate expression that appears on the RHS of (15) needs neither the bounded-latency assumption, nor the asymptotic setting. Both of those are needed primarily for the converse argument. Without the bounded-latency constraint, the asymptotic capacity of DB-TPIR is bounded according to the following corollary.
The proof of Corollary 1 appears in Appendix A. The lower bound in (16) follows directly from the proof of achievability of Theorem 1. The upper bound in (16) is obtained by noting that DB-TPIR schemes automatically yield TPIR schemes. In fact, as shown in the proof of Corollary 1, the optimal rate of DB-TPIR in the non-asymptotic setting can also be bounded by the capacity of TPIR as Next we examine the need for common randomness across servers. Common randomness is needed across servers primarily to preserve inter-user privacy, i.e., to keep each user's index private from other users. While in the absence of common randomness, our achievable scheme does not preserve inter-user privacy perfectly, it is remarkable that the scheme manages to preserve inter-user privacy almost-perfectly for large alphabet. In other words, the amount of information leaked to a user about the other user's index, is vanishingly small as q → ∞. Corollary 2 highlights this observation by studying denote the answers generated by the N servers after eliminating common randomness between servers (setting all symbols associated with Z to zero in our achievable scheme for DB-TPIR). For T 1 = T 2 = 1, K 1 = K 2 = K, and for any ǫ > 0, there exists q 0 > 0 s.t. when q ≥ q 0 (q is the size of the finite field F q ), The proof of Corollary 2 appears in Appendix B.
Our final result generalizes the achievable scheme from DB-TPIR to MB-XSTPIR based on a tensor-product extension of cross-subspace alignment. The achievable rate of the general scheme is presented in the following theorem.

Theorem 2.
For the MB-XSTPIR problem defined in Section II, the following rate is achievable regardless of the number of messages K 1 , K 2 , · · · , K M .
Intuitively, this rate expression indicates that with this scheme one symbol is downloaded from each server, and from those N symbols each user is able to recover L =

IV. ASYMPTOTIC CAPACITY OF DB-TPIR
This section is devoted to the proof of Theorem 1.

A. Theorem 1: Converse
Let us find an upper bound on the capacity of DB-TPIR by noting a relationship between DB-TPIR and X-secure T -private information retrieval (XSTPIR) [29]. Recall that XSTPIR is a special case of MB-XSTPIR obtained by setting M = 1. The capacity of XSTPIR with N distributed servers, K messages, X-secure data storage, and T -private queries is denoted as C XSTPIR (N, K, X, T ). Recall that the asymptotic capacity of XSTPIR We will need the following lemma.
denote the supremum of rates achievable by any DB-TPIR scheme for the parameters q, L, N, K 1 , K 2 , T 1 , T 2 as defined in Section II. Then for Proof. Consider a K 1 ×K 2 matrix w whose elements are from F L q . The K 2 column vectors are all distinct and, say, arranged in lexicographic order. Since K 2 = q LK 1 , the column vectors of the matrix include all q LK 1 possible realizations of K 1 × 1 vectors over F L q , and w is uniquely specified. We claim that any construction of a DB-TPIR scheme for the parameter values specified on the LHS of (20), when applied with the particular realization of the database W = w, yields an XSTPIR scheme with the parameters specified on the RHS of (20).
Let us describe this XSTPIR scheme. In this XSTPIR scheme the user corresponds to User 1 of the DB-TPIR scheme. Each Server n stores only Q (2,θ 2 ) n . Note that w is a constant matrix known to everyone, whose θ th 2 column specifies the realizations of the K 1 i.i.d. messages (one of which is desired by the user), each comprised of L uniformly random i.i.d. symbols from F q . Since θ 2 is T 2 -private according to the DB-TPIR construction, this constitutes X = T 2 -secure storage of the K 1 messages. Furthermore, based on the T 1 -private queries, Q (1,θ 1 ) n , provided by the user, each server is able to respond as in the DB-TPIR scheme (because Q (2,θ 2 ) n is already known to Server n), and the DB-TPIR construction guarantees that the desired message w(θ 1 , θ 2 ) is correctly retrieved. Finally, since the rate of an XSTPIR scheme cannot be higher than the capacity of XSTPIR, the proof of Lemma 1 is complete.

Remark:
The XSTPIR scheme that we obtain from the DB-TPIR scheme described above, allows common randomness between servers. While the original formulation of XSTPIR in [29] does not explicitly allow common randomness, it is readily verified that server-side common randomness can be included in the storage of each server in the model of [29], and the asymptotic capacity result still holds.

Proof of Converse of Theorem 1
With the help of Lemma 1 and (12) (in Footnote 3), we are now ready to prove the converse for Theorem 1.
The first step, (22), follows directly from (12). In (23) we used the fact that reducing the number of messages cannot hurt the rate (because the original scheme can still be used with fewer messages). The next step, (24) follows because when K 2 → ∞, K 1 is viewed as a constant which is less than K 2 and reducing the number of messages cannot hurt the rate. For (25) we used Lemma 1. The next step, (26) follows because for fixed q, L, and K = log q L (K 1 ), the condition that K 1 → ∞ is equivalent to the condition that K → ∞. Next, (27) follows because the capacity expression is not a function of q or L. Finally, the asymptotic capacity characterization for XSTPIR from [29] is used for (28). Thus, the proof of the converse part of Theorem 1 is complete.

B. Theorem 1: Achievability
In this section, we prove the achievability of Theorem 1 by constructing a scheme based on Cross Subspace Alignment (CSA) Codes [54], that can achieve the rate (1 − (T 1 + T 2 )/N) + for arbitrary N, K 1 , K 2 , T 1 , T 2 . We will focus only on the non-trivial case, N > T 1 + T 2 . Throughout this scheme we set, Each message W(i, j), i ∈ [1 : consists of L symbols from finite field F q , denoted as W(i, j) = (W(i, j) (1) , W(i, j) (2) , · · · , W(i, j) (L) ). For the scheme we will need the following L + N distinct constants from F q , that are known to all N servers and the 2 users. Note that this implies that q ≥ L + N.
The private randomness available to each user is specified as, The random vectors Z (l) Specifically, Q From (36) to (37), distributive law is used. Note that (37) can be viewed as a polynomial of α n . The coefficients of the first L terms are the L symbols of the desired message.
I i , i ∈ [0 : T 1 + T 2 − 1] stands for the remaining (interference) terms that are generated by the product of the matrices in (36). The highest power of α n is T 1 + T 2 − 1 and can be found from Note that the interference terms of (37), except the one of highest order, may contain some information of the index generated by a user. For example, I 0 contains which means that User 2 may get some information about the index θ 1 generated by User 1 from the interference terms. To protect against this leakage of information, Server n will add noise drawn from the common randomness that is shared by all servers. The common randomness shared among N servers is specified as, where ( Z i ) i∈[0:T 1 +T 2 −1] are T 1 + T 2 random variables that are i.i.d. uniform over F q . Server n will add the polynomial to the intermediate result B (θ 1 ,θ 2 ) n to generate its answer A (θ 1 ,θ 2 ) n . This is the answer sent to both users.
The matrix C is a Cauchy-Vandermonde matrix of size N × N since N = L + T 1 + T 2 .
Since f l , l ∈ [1 : L], α n , n ∈ [1 : N] are L + N distinct elements of F q , according to [59], C is invertible in F q . Thus, the answers from all the N servers form an invertible function of W(θ 1 , θ 2 ), J 0 , · · · J T 1 +T 2 −1 . In other words, the correctness constraint is satisfied.
Let us consider the user-user privacy. Without loss of generality, let us consider User

We have
(45) comes from the fact that J [0:T 1 +T 2 −1] are protected by T 1 +T 2 random symbols shared among servers, which are uniformly i.i.d. over F q and are independent of all other terms in (45).
Finally, note that since L = N − (T 1 + T 2 ) symbols of the desired message are retrieved from a total of N downloaded symbols from all N servers, the rate of this scheme is

C. Examples for Illustration
We use α instead of α n for compact notation, with the understanding that Server n replaces α with α n . Server 'n' (Replace α with α n ) The intermediate result is computed as The answer from the server is Writing in matrix form, the answers from N = 3 servers are  The desired message is retrieved by inverting the matrix C. Since L = N − (T 1 + T 2 ) = 1 symbol of the desired message is retrieved from a total of N = 3 downloaded symbols from all 3 servers, the rate of the scheme is L/N = 1/3.
Server 'n' (Replace α with α n ) The intermediate result is The answer is Writing in matrix form, the answers from N = 5 servers are  Evidently, the rate achieved is L/N = 2/5 in this case.

V. M -WAY BLIND X -SECURE T -PRIVATE INFORMATION RETRIEVAL
In this section, we propose a scheme that solves the generalized problem: M-way blind X-secure T -private information retrieval (MB-XSTPIR). The rate achieved by this scheme is R = 1 − (X + T 1 + · · · + T M )/N.
MB-XSTPIR has been formalized in Section II. In brief, MB-XSTPIR enables M users who independently generate M indices θ 1 , · · · , θ M (θ m generated by user m) to retrieve a message W(θ 1 , · · · , θ M ) from a database W which is X-securely stored at N distributed servers, with (T m )-Privacy and User-User Privacy constraints satified.
The MB-XSTPIR scheme proposed in this section is still based on Cross Subspace Alignment (CSA) and is a natural extension of the DB-TPIR scheme. The main difference is that in this case, the database W is an M-dimensional tensor instead of a 2-dimensional matrix in DB-TPIR.

A. Brief Review of Tensors
Let us briefly review the key properties of tensors that we will need. Specifically, an M-dimensional tensor is an M-dimensional array. For instance a 2-dimensional tensor is a matrix, and a 3-dimensional tensor is a cuboid made up of several matrices. Each dimension of a tensor is called a mode. The m th dimension is called mode-m. The tensor operation we mainly need is the operation called mode-m tensor vector multiplication.
Readers can refer to Chapter 3, Section 3.1.2 of [60] for more details.

Definition 1. Mode-m Tensor Vector Multiplication. The mode-m multiplication of a tensor
where C ∈ F K 1 ×···×K m−1 ×1×K m+1 ×···×K M q , and each element of C is specified as Note that this operation is a multi-linear operation, so distributive law applies to this operation.

B. General MB-XSTPIR Scheme
Throughout this scheme we set L = N − (T 1 + T 2 + · · · + T M ) − X. Let F q be a finite field with q ≥ L + N and let f 1 , · · · , f L , α 1 , · · · , α N be L + N distinct elements in F q .
These L + N elements are known to the N servers and M users.
The private randomness available at user m to keep his index θ m T m -private is where the column vectors Z For compact notation, we write T m instead of m∈[1:M ] T m . The common randomness Z shared among N servers for protecting inter-user privacy is specified as where Z i , i ∈ [0 : T m + X − 1] are T m + X random noise variables that are i.i.d. and uniform over F q .
To form X-secure storage of the data, let us introduce which are independent uniform random noise tensors from The database W can be split into L parts, each of which is an M-dimensional tensor.
This partitioning is specified as so that W (l) contains the l th symbol of every message.
The independence between the messages, indices, and noises is specified as T m + X + LK 1 · · · K M X.
To keep the database W X-secure, W is secret-shared among N servers. The n th server holds the share S n = (S (1) n , · · · , S (L) As before, let Q m,θm be the column vector with K m entries whose θ th m entry is 1 while other entries are all 0s. With the tensor vector multiplication defined above, the desired message can be written as To guarantee T m -privacy, the index generated by the m th user is protected by T m random noise vectors. The queries sent from the m th user to the n th server are constructed as Q With the queries from the M users and stored S n , the n th server first computes an intermediate result As before, I 0 , · · · , I Tm+X−1 are T m + X interference terms which are useless. Note that the distributive law applies here because mode-m multiplication is a multi-linear operation. The highest order of α n is T m + X − 1, which results from Similar to DB-TPIR, the interference terms may contain some information of the indices generated by all users. To guarantee privacy between users, servers will add common randomness shared among them to the intermediate results to generate their answers for each user. Specifically, the answer from server n is The matrix form of (58) is similar to that of 2-user case, we omit it here. Since L = N − T m − X dimensions are occupied by desired message symbols and T m + X dimensions are occupied by the noisy versions of interference terms (J), the rate achieved here is

C. Example
Let us provide a simple example for illustration.
The storage at Server n and the queries from the 3 users are listed as follows.
Server 'n' (Replace α with α n ) The intermediate result is The highest order of α is 5 since T 1 + T 2 + T 3 + X − 1 = 5 in this case. The answer from the server is Evidently, the desired symbols occupy 2 dimensions, the aligned interference occupies 6 dimensions, and the rate achieved is 2/8 = 1/4.

VI. CONCLUSION
We explored the problem of M-way blind X-secure T -private information retrieval (MB-XSTPIR). We found the asymptotic capacity of double blind T -private information retrieval (DB-TPIR), which is a special case of MB-XSTPIR, under a bounded-latency constraint. The achievable scheme was constructed based on Cross-Subspace Alignment.
We then generalized the scheme using tensor-products into an MB-XSTPIR scheme where the number of users (M), storage security-level (X) and privacy level of each user's index (T 1 , T 2 , · · · , T M ) can be arbitrarily chosen.

A. Proof of Corollary 1
The lower-bound follows already from the proof of achievability of Theorem 1. Here we prove the upper bound. Any DB-TPIR scheme with parameters K 1 , K 2 , T 1 , T 2 yields two TPIR schemes. In one TPIR scheme, the user corresponds to User 1 of DB-TPIR.
User 2 in DB-TPIR generates a fixed index so that the user is retrieving a message in a database with K 1 messages (a fixed row of W) with T 1 -privacy constaint from N servers. The rate of DB-TPIR cannot exceed 1−T 1 /N 1−(T 1 /N ) K 1 because this value is the capacity of TPIR with N servers, K 1 messages and a T 1 -privacy constraint according to [11].
The other TPIR scheme is similarly defined where the user corresponds to User 2 in DB-TPIR, while User 1 in DB-TPIR generates a fixed index, thus the rate of DB-TPIR cannot exceed 1−T 2 /N 1−(T 2 /N ) K 2 . Note that for large K 1 , K 2 , we so the upper bound follows in the asymptotic setting.

B. Proof of Corollary 2
Let us focus on (17), i.e., inter-user privacy from the 1 st user's perspective. Similar reasoning will apply to (18).
(71) results from the fact that I 0 , I 1 are in F q and conditioning reduces entropy. (72) holds because elements in I [1:3] can be subtracted from I 0 , I 1 .
To proceed further we need to define the following new random variables.
Note that the numerator of (75) is the order of the general linear group of degree K over F q . (77) follows because E 1 and E 2 are independent.
Let R 1 , R 2 be two row vectors and E 1 = 1 implies that W (1) has full-rank. E 2 = 1 means that Z Such (i, j) must exist due to the linear independence of R 1 and R 2 .