Robust and Secure Cache-aided Private Linear Function Retrieval from Coded Servers

This work investigates a system where each user aims to retrieve a scalar linear function of the files of a library, which are Maximum Distance Separable coded and stored at multiple distributed servers. The system needs to guarantee robust decoding in the sense that each user must decode its demanded function with signals received from any subset of servers whose cardinality exceeds a threshold. In addition, (a) the content of the library must be kept secure from a wiretapper who obtains all the signals from the servers;(b) any subset of users together can not obtain any information about the demands of the remaining users; and (c) the users' demands must be kept private against all the servers even if they collude. Achievable schemes are derived by modifying existing Placement Delivery Array (PDA) constructions, originally proposed for single-server single-file retrieval coded caching systems without any privacy or security or robustness constraints. It is shown that the PDAs describing the original Maddah-Ali and Niesen's coded caching scheme result in a load-memory tradeoff that is optimal to within a constant multiplicative gap, except for the small memory regime when the number of file is smaller than the number of users. As by-products, improved order optimality results are derived for three less restrictive systems in all parameter regimes.


Fig. 1: System model
User-side Demand Privacy: Schemes that guarantee user privacy, that is, no user can infer the demand of another user after the delivery phase, were proposed in [6]. In particular, user privacy can be guaranteed by adding virtual users [6], [7]. We investigated user privacy against colluding users in [8], for both single file retrieval and scalar linear function retrieval, where we imposed that any subset of users must not obtain any information about the demands of other users even if they exchange the content in their caches. The key idea in [8] is that, in addition to the cached contents as in the MAN scheme [1], each user also privately caches some privacy keys, which are composed as random linear combinations of the parts of the files that were not cached in the MAN scheme. The demands are added by the same coefficients used to generate the privacy keys, so that each user can decode its demanded files with the privacy keys.
Content Security & User-side Demand Privacy: We investigated simultaneous content Security and user demand Privacy for scalar Linear Function Retrieval (SP-LFR) in [9], where we designed a key superposition scheme to guarantee both conditions at once by superposing (i.e., sum together) the security keys and privacy keys. We showed that the load-memory tradeoff in this case is the same as in the setup with only content security guarantees. The idea of key superposition was incorporated into the framework of Placement Delivery Array (PDA), which was known to depict both placement and delivery phases in a single array for coded caching systems with neither security or privacy constraint [10]. The advantage of the PDA framework is that low subpacketization schemes can be obtained directly from existing PDA constructions, such as the ones in [10]- [14].
Server-side Demand Privacy: Server-side demand privacy has been thoroughly investigated for the case of multiple servers and a single user, which is known as the Private Information Retrieval (PIR) problem [15]. The capacity of PIR has been characterized in [16] for single file retrieval, in [17] for scalar linear function retrieval, and in [18] or single file retrieval and colluding servers. PIR with a cacheaided user was investigated in [19]- [22]. Recently, the PIR setting has been extended so as to include multiple cache-aided users in [23], [24], where techniques from coded caching and PIR were combined to derive achievable scheme that are provably optimal to within a constant gap.
MDS Coded Servers and Decoding Robustness: Since node failures and erasures commonly arise in storage systems, redundancy is desirable [25]. Maximum Distance Separable (MDS) codes are often used to code the data stored across servers. The advantage of MDS coded servers is that it saves storage while allowing unresponsive servers. PIR from MDS-coded servers has been investigated in [26]- [28], and the capacity was charactered in [26]. The schemes in [27], [28] have almost optimal sub-packetization among all schemes achieving the smallest download rate. The PIR schemes in [29] have asymptotically optimal download rate when any number of unresponsive servers not exceeding some threshold show up.

A. Contributions and Paper Organization
In this paper, we combine all the above mentioned requirements in a system whose model is depicted in Fig. 1. The model consists of H servers, N files, and K users. Each of the N files is stored, as an (H, L) MDS coded version 1 , at all servers. Each server is connected to all the users via a dedicated shared link, but may not be able to reach all the users. The novel aspect of this work is to design coded caching schemes that are robust to some servers' unavailability, that is, each user must be able to retrieve an arbitrary scalar linear function of the files from the signals obtained from an arbitrary subset of L servers (out of H servers). The security [5], user-side privacy [8] and server-side privacy [18] conditions are also imposed. We refer to this model as a Robust Secure and (server-and user-side) Private Linear Function Retrieval (RSP-LFR) problem.
Our key idea on how to guarantee all those conditions simultaneously is to extend the key superposition scheme in [9]. In particular, the technique of superposing user-side privacy and security keys is used in the placement phase, while in the delivery phase, the multicast signals are created in the MDS code domain, where the MDS coded version of the keys are added to the MDS coded multicast signals. Robustness is guaranteed by the linearity property of the MDS code. Security and (server-and user-side) privacy are guaranteed since each transmitted signal is accompanied by an appropriate MDS coded key.
Our main contributions for the proposed RSP-LFR model are as follows. 1) We propose a procedure to obtain a RSP-LFR scheme from a given PDA, so that low-subpacketization RSP-LFR schemes can be easily obtained from various existing PDA constructions [10]- [14]. Interestingly, with the same PDA, compared to the single server SP-LFR system in [9], the achieved memory size is the same, but the load is scaled by a factor H/L, i.e., the inverse of the rate of the MDS code used to encode the library files. 2) Following the proposed procedure, RSP-LFR schemes based on the PDAs that describe the original MAN scheme in [1] (MAN-PDAs) are proved to achieve the best load-memory tradeoffs among all PDA-based RSP-LFR schemes. Moreover, we show that they have the smallest subpacketization among all PDA based schemes achieving the same load-memory pairs. 3) The load-memory tradeoff achieved by MAN-PDAs is proved to be to within a constant multiplicative gap from the optimal load-memory tradeoff, except for the regime of small memory and less files than users. 4) For three less restrictive models, where some conditions are dropped, we propose schemes for the corresponding setups that improve the load-memory tradeoffs of the novel MAN-PDA-based RSP-LFR scheme. The idea for improving the tradeoff in less restrictive models is as follows. In the case where security is not imposed, security keys can be removed, and hence, some signals in the delivery phase became redundant and can be removed akin to [3], [4], [9]. Moreover, those improved schemes are shown to be optimal to within a constant multiplicative gap in their respective setups in all parameter regimes, and the gap is lower than previously known schemes. The rest of this paper is organized as follows. Section II gives the formal problem definition. Section III reviews the PDA framework and gives an illustrative example. Section IV summarizes our main results, where the proof details are deferred to Sections V-VII. Section VIII presents some numerical results. Section IX concludes the paper.

B. Notation Convention
In this paper, N + denotes the set of positive integers; F q and F n q denote the finite field of cardinality q, for some prime power q, and the n-dimensional vector space over F q , respectively. For two integers m, n such that m ≤ n, we use [m : n] to denote the set of the first positive integers {m, . . . , n}; [1 : n] is also denoted by [n] for short. We use X A to denote the tuple composed of {X i : i ∈ A} for some integer set A, where the elements are ordered increasingly, e.g., X [3] = (X 1 , X 2 , X 3 ). For variables with two or more indices, e.g., X i,j , we use X A,B to denote the tuple {X i,j : i ∈ A, j ∈ B}, where the elements are listed in lexicographical order, e.g. X [3], [2] = (X 1,1 , X 1,2 , X 2,1 , X 2,2 , X 3,1 , X 3,2 ). II. SYSTEM MODEL Let N, K, L, H be positive integers satisfying L ≤ H. The (N, K, L, H) RSP-LFR system, illustrated in Fig. 1, consists of H servers (denoted by 1, . . . , H), where each server is connected to K users (denoted by 1, . . . , K) via a dedicated shared-link. A file library of N files (denoted by W 1 , . . . , W N ∈ F B q ) are stored at the H servers in the form of an (H, L) MDS code as follows, where B denotes the file length. Each file W n , n ∈ [N ], is composed of L equal-size subfiles W n,1 , . . . , W n,L ∈ F B/L q and is encoded into H coded subfiles W n,1 , . . . , W n,H ∈ F B/L q with a given (H, L) MDS code with generator matrix that is, the coded subfiles are given by g l,1 W n,l , . . . , The N files are mutually independent and uniformly distributed over F B q , that is, Notice that, W a , W a,l , W a,h are linear in a, e.g., for any u, v ∈ F q and a, b ∈ F N q , W ua+vb = uW a + vW b . Moreover, since W n, . . , W a,L ), ∀ a ∈ F N q , as in (5c). The system operates in two phases as follows.
Placement Phase: The servers can communicate with each other, and all users can access all servers. To ensure the security condition in (11b), the servers share some randomness V from some finite alphabet V. Each user k ∈ [K] generates some random variable P k from some finite alphabet P k and cache some content Z k as a function of P k , V and the file library W [N ] . Let the cached content be for some encoding functions ϕ k : The quantity M is referred to as memory size. The encoding functions ϕ 1 , . . . , ϕ K are known by the servers, but the randomness P 1 , . . . , P K are kept private by the corresponding users.
Delivery Phase: Each user k ∈ [K] generates a demand d k = (d k,1 , . . . , d k,N ) ∈ F N q , meaning it is interested in retrieving the linear combination of the files W d k . The following random variables are independent for some query functions κ k,h : where k,h is the length of the query Q k,h . If any randomness is needed in the queries, it has to be stored in the cache. Then user k ∈ [K] sends the query Q k,h to server h ∈ [H].
Upon receiving the queries from all the users, server h ∈ [H] creates a signal X h as for some encoding function φ h : , is referred to as the load of server h. The (total) load of the system is defined as An RSP-LFR scheme must satisfy the following conditions for all demands d 1 , . . . , Objective: A memory-load pair (M, R) ∈ [1, N ] × R + is said to be B-achievable if, for any > 0, there exists a scheme satisfying all the conditions in (11) with memory size less than M + , load less than R + with file-length B. The main objective of this paper is to characterize the optimal load-memory tradeoff of the system, defined as Throughout this paper, we consider the case N ≥ 2, since demand privacy is impossible for N = 1 (i.e., there is only one possible file to be demanded). For a given scheme, we are also interested in its subpacketization level, which is defined as the number of packets each file has to be partitioned into in order to implement the scheme. Remark 1 (Implications of the conditions in (11)). The constrains in (11) imply the following.
1) The robust correctness condition in (11a) guarantees that each user can correctly decode its required scalar linear function by receiving any L-subsets of the transmitted signals. Since each user decodes independently, the available subset of signals L need not to be same across the users. 2) The security condition in (11b) guarantees that a wiretapper, who is not a user in the system and observes all the delivery signals, can not obtain any information about the contents of the library files. It was proved in [8, Appendix A] that the conditions in (11b) and (11c) imply that is, the wiretapper having access to X [H] in fact can not obtain any information on both the files and the demands of the users.
3) The user-side privacy condition in (11c) guarantees that any subset of users who exchange their cache contents cannot jointly learn any information on the demands of the other users, regardless of the file realizations. 4) The server-side privacy condition in (11d) guarantees that the servers can not obtain any information on the demands of the users, even if all the servers collude by exchanging their stored contents. Remark 2 (Minimum memory size). It was proved in [5] that, in order to guarantee the correctness condition in (11a) and the security condition in (11b) simultaneously, the memory size M has to be no less than one. Thus the load-memory tradeoff is defined for M ∈ [1, N ]. Remark 3 (Comparison with [23]). In the case L = 1 and G = [1, 1, . . . , 1], the servers store replicated databases. A scheme to retrieve single files from replicated databases for multiple users was proposed in [23], while guaranteeing server-side privacy. This is different from our setup, even if we remove the user-side privacy and security conditions, since our robust decoding setup in this case imposes that each user can decode from the signal of any single server (i.e., L = 1). Remark 4 (Less Constrained Systems and Naming Convention). For any given RSP-LFR (N, K, L, H) system, the robust correctness condition in (11a) guarantees that the users can correctly decode their demands by receiving the signals from any L servers. In addition to investigating the load-memory tradeoff of the RSP-LFR system, we also discuss less constrained systems where some of the conditions in (11) are relaxed or dropped. In such systems, the optimal load-memory tradeoff can be similarly defined as in (12). In particular, we use R * C (M ) to denote the optimal load-memory tradeoff of a system with only the constrains listed in the label C, which can be any of the following: • L: scalar Linear Function Retrieval (LFR) demands, i.e., the demands d 1 , . . . , d K ∈ F N q ; • F: File Retrieval (FR) demands, i.e., the demands d 1 , . . . , d K are restricted to {e 1 , . . . , e K }, where e n ∈ F N q , n ∈ [N ], is the vector with the n-th digit being 1 and all the others zero; • S: the security condition in (11b); • P: both privacy conditions in (11c) and (11d); • P U : the user-side privacy condition in (11c); • P S : the server-side privacy condition in (11d); The convention for the subscript C is: 1) It contains either L or F, but not both, so as to identify the demand type allowed in the system.
2) It contains at most one character between P, P U , P S ,, which identifies the privacy condition imposed on the system.
Notice that, if C = LSP, the system is the novel RSP-LFR setup introduced in this paper, thus, R * LSP (M ) = R * (M ) in (12), defined for all M ∈ [1, N ].
We will also need to discuss the single server system where all the files are stored at the server. The optimal load-memory tradeoff can be similarly defined for such a system for any constraint implied by C ∈ Ω. We will use R * C (M ) to denote the optimal tradeoff in the single server system with constraint identified by C ∈ Ω.

III. PDAS AND A TOY EXAMPLE
Our achievable results are based on the notion of PDA [10], originally introduced to reduce the subpacketization in the single-server systems for single file retrieval and without any security or privacy guarantees. In this section, we first review the definition of PDA, and then give an example to highlight the key ideas in the design of our RSP-LFR scheme. The general construction will be discussed in the rest of the paper.
A. Placement Delivery Array Definition 1 (PDA [10]). For given K, F ∈ N + and Z, S ∈ N, , composed of Z specific symbols " * " in each column and some ordinary symbols 1, . . . , S, each occurring at least once, is called a (K, F, Z, S) PDA, if, for any two distinct entries a i,j and a i ,j , we have a i,j = a i ,j = s, for some ordinary symbol s ∈ [S] only if a) i = i , j = j , i.e., they lie in distinct rows and distinct columns; and b) a i,j = a i ,j = * , i.e., the corresponding 2 × 2 sub-array formed by rows i, i and columns j, j must be of the following form
Similarly to (5), for any a = (a 1 , a 2 , a 3 , a 4 ) ∈ F 4 2 , we use the following notation to denote the linear combination of (un)coded packets with coefficient vector a: The system operates as follows. Placement Phase: The servers share LS = 6 vectors {V l,s : l ∈ [2], s ∈ [3]}, which are generated independently and uniformly from F B/6 2 , where the packets V 1,s , V 2,s will be associated to the ordinary symbol s ∈ [3]. Each user k ∈ [3] generates a random vector p k = (p k,1 , p k,2 , p k,3 , p k,4 ) ∈ F 4 2 . The cache content of the user k is composed of p k and the (un)coded packets in the corresponding column in Table  I.
The packets W [4], [2],i are associated to the i-th row of A in (16) and user k is associated to the k-th column of A. The packets in the i-th row of Table I of user k are created according to the entry a i,k of A in (16): if a i,k = * , user k caches N L = 8 uncoded packets W [4], [2],i , otherwise it caches L = 2 coded packets W p k , [2],i ⊕ V [2],a i,k .
Delivery Phase: Assume that user 1, 2, 3 demands the linear combination all the servers as queries. Upon receiving the query vectors q [3] , each server h ∈ [3] sends a signal X h to the users, where X h is composed of the query vectors q [3] and S = 3 coded packets as in the Table II, which are associated to the ordinary Performance: Each user k ∈ [3] can decode the linear combination W d k with signals from any L = 2 servers because user k can decode W d k , [2],k since it has cached all the uncoded packets W [4], [2],k from Table I. For the other packets, we note: transmits the query vectors q [3] .
• Upon obtaining the signals in Table III, each user k ∈ [3] can proceed with the decoding process for each subfile l ∈ [2] as in [8]. Let us take s = 1 for subfile l = 1 as an example. As a 1,2 = a 2,1 = 1, (22c) One can verify that each user k ∈ [3] can decode all the remaining packets W d k , [2], [3]\{k} from its stored contents, the signals in Table III and the query vectors q [3] . This concludes the proof of correct robust decoding. Privacy and security are guaranteed since each signal is accompanied by a key of random and uniformly distributed bits.
In term of memory-load performance, recall that each packet is of size B 6 bits. Each user caches 12 packets and 1 vectors in F 4 2 , whose length does not scale with B. Thus the needed memory is M = 12 × 1 6 = 2 files. Each of the 3 server sends 3 packets and 3 vectors in F 4 2 , thus the achieved load is R = 3 × 3 × 1 6 = 3 2 files. Hence, the scheme achieves the memory-load pair (M, R) = 2, 3 2 .

A. PDA based RSP-LFR Schemes
With any given PDA, we will construct an associated RSP-LFR scheme. The following theorem summarizes the performance of PDA based SP-LFR scheme, which will be proved by presenting and analyzing the construction in Section V. Theorem 1. For any (N, K, L, H) system and a given (K, F, Z, S) PDA A, there exists an associated RSP-LFR scheme that achieves the memory-load pair with subpacketization LF .
Remark 5 (Comparison with single-server systems). With the procedure described in Section V, we can easily obtain RSP-LFR schemes from existing PDA constructions, such as those in [10]- [14]. If H = L = 1, the system degrades to a single-server shared-link system, where all the files are stored at the server [1]. In [9], a key superposition scheme was proposed to guarantee the correctness, security, and user privacy conditions simultaneously based on any (K, F, Z, S) PDA A for single-server systems. The scheme in [9] achieves the memory-load pair in (23) with H/L = 1. In other words, the RSP-LFR scheme with PDA A achieves the same memory size as in the single server case but the load is scaled by a factor H L . In the case H = L, each user needs to retrieve information from all the servers, and the total load is the same as that from a single server case (i.e., H = L = 1). Moreover, this indicates that, in addition to guaranteeing correctness, security, and user-side privacy conditions, the server-side privacy condition does not increase the load-memory tradeoff in the non-robust multi-server case with H = L.

B. Optimality of MAN-PDA based RSP-LFR Schemes
The following PDA describing the MAN scheme in [1] is important, and will be referred to as MAN-PDA in the following.
It was proved in [10] that A t from (24) The following theorem summarizes the performance of MAN-PDA and its optimality. The proof is presented in Section VI-A Theorem 2. Let R(M ) be the lower convex envelope of the following points where t ∈ 2) N < K, for all M ∈ [2, N ), Remark 6 (Open regime N < K, 1 ≤ M < 2). In the regime N < K, 1 ≤ M < 2 the gap is unbounded.
is the tradeoff achieved by the key superposition scheme in the single server system where the security and user-side privacy conditions are imposed [9], and R * LSP U (M ) is the corresponding optimal tradeoff. The gap result in Theorem 2 thus follows from the bound for [9], where the same regime is open. The main problem in this regime for the single server model is that, if security keys are used' [5], [9], for the point M = 1 the best know achievable load is K, while the best known converse is N . When new converse and gap will be obtained for this regime in the single server case, the same gap will apply to our RSP-LFR system.
The following theorem implies that, with the given procedure of deriving RSP-LFR scheme in Section V, the memory-load pairs {(M t , R t ) : t ∈ [0 : K]} achieved by the MAN-PDAs are Pareto-optimal among all PDA based RSP-LFR schemes. Moreover, the MAN-PDAs have the smallest subpacketization among all PDA based RSP-LFR schemes achieving these points. The proof is deferred to Section VI-B.
In particular, the memory-load pairs {(M t , R t ) : t ∈ [0 : K]} satisfy (29) with equality. Moreover, if M = M t and R = R t for some t ∈ [0 : K], then the subpacketization is at least L K t . Remark 7 (Subpacketizations). By the procedure described in Section V, we can easily obtain RSP-LFR schemes from existing PDA constructions, such as those in [10]- [14]. It was showed in [9] that the PDAbased construction in [10] achieves a slightly larger load than MAN-PDA for the same memory size, while reducing the subpacketization by a factor that increases exponentially with K. Thus, PDAs in [10] sacrifice some load for an exponential reduction in subpacketization.

C. Improved Load-Memory Tradeoffs Less Constrained Systems
Obviously, the load-memory tradeoff R(M ) in Theorem 2 is achievable for any less constrained system described in Remark 4. In this subsection, we present improved achievable results for the following three less constrained systems. The details are presented in Section VII.
where t ∈ [0 : K]. Then, R RP-F (M ) is achievable, and it satisfies 3) Robust Linear Function Retrieval (R-LFR) System (C = L): In an (N, K, L, H) R-LFR system, only the correctness condition (11a) must be guaranteed for all LFR demands. Theorem 6. For an (N, K, L, H) R-LFR system, let R L (M ) be the lower convex envelope of the following points where t ∈ [0 : K]. Then, R L (M ) is achievable and it satisfies That is, the coded contents stored at server h are We use the following notations similarly to (5) for any a = (a 1 , . . . , a N ) ∈ F N q to denote the linear combination of (un)coded packets: Notice that (W a,1,i , . . . , W a,H,i ) is the MDS codeword of (W a,1,i , . . . , W a,L,i ), i.e., . Each user k ∈ [K] locally generates a random vector p k uniformaly over F N q , and constructs its local cache Z k as Delivery Phase: Assume that user k ∈ [K] demands W d k , for some d k ∈ F N q . Then user k ∈ [K] sends query q k = d k + p k to all the servers, i.e., the queries Q k, [H] are constructed as where (a) follows from q k = p k + d k . Therefore, user k ∈ [K] can decode W d k ,l,i from the the signal Y l,s by canceling the remaining terms since 1) the coded packet V l,a i,k + W p k ,l,i is cached by user k by (42c); where: (52b) follows from (43) (42c)). In addition, the p k in (42a) can be stored with N symbols. Recall that, each column of a (K, F, Z, S) PDA has Z " * "s and F − Z ordinary symbols, thus, the needed cache size is  The achievability of the point (M t , R t ) directly follows from Theorem 1 and the (K, K t , K−1 t−1 , K t+1 ) MAN-PDA A t in Definition 2. Moreover, the lower convex envelope of the points in (26) can be achieved by memory-sharing technique [1].
For the gap result, we derive the following lemma for any C ∈ Ω.
Lemma 1. For any C ∈ Ω, for any feasible 2 M , Proof: For a (N, K, L, H) system with the constraint C, for any feasible design of caches Z [K] and signals X [H] satisfying the constraint C, for any L ⊆ [H], the contents Z [K] and signal X X L are a feasible scheme for the single server system with the same constraint C. Thus, Therefore, where (58c) follows from Han's inequality [33]. Let R LSP U (M ) be the lower convex envelope of the following points: for each t ∈ [0 : K], Notice that R LSP U (M ) is achievable by the key superposition scheme in [9] for the single server system with constraint LSP U . Comparing (26) where (a) follows from the fact R * LSP (M ) ≥ R LSP U (M ), since the constraint LSP is stronger than the constraint LSP U . Thus, the claimed multiplicative gap result directly follows from (60) and the bound for Consider a single server network with constraint LSP U as in [9]. For any (K, F, Z, S), the scheme proposed in [9] from PDA A achieves the memory-load pair M A , R A = 1+ Z(N −1) F , S F . The following conclusion was proved in [9].
Lemma 2 (From [9, Theorem 2]). Given a (K, F, Z, S) PDA A, if the associated scheme for the single server system with constraint LSP U achieves a memory-load pair (M A , R A ), then necessarily .
In particular, the memory- where: (62a) follows from Remark 5; (62b) follows from (61); and (62c) follows from the fact M = M A = M A by Remark 5.Therefore, we proved (29). The fact that memory pairs {(M t , R t ) : t ∈ [0 : K]} satisfy (29) with equality can be verified trivially. Moreover, if M = M A = M t and R = R A = R t , then M A = M t and R A = R t , by the facts M t = M t , R t = H L · R t and Remark 5. Therefore, by Lemma 2, it must hold that F ≥ K t . Thus, by Theorem 1, the subpacketization of the RSP-LFR scheme is at least L K t .
VII. IMPROVED LOAD-MEMORY TRADEOFFS IN LESS CONSTRAINED SYSTEMS The basic idea for improving the load-memory tradeoff in less constrained systems is that in the case the security condition (11b) is not imposed (i.e., the constraint C does not contain S), some redundant signals may be removed when N ≤ K as in [3], [4]. Notice that in such less constrained systems, Consider a fixed MAN-PDA A t in (24), where F = K t and S = K t+1 . Notice that each row of A t is assocated to a subset of size t, i.e., for any given a ∈ F N q and l ∈ [L] or h ∈ [H], each linear combination of files W a,l,u or W a,h,u is associated to the subset T u ⊆ [K]. For notational simplicity, in this section, for each u ∈ [ K t ], denote W a,l,Tu := W a,l,u , W a,h,Tu := W a,h,u .
Moreover, each signal Y l,s or Y h,s is associated to a subset J ⊆ [K] of size t + 1, i.e., the subset J such that s = κ t+1 (J ). Denote In RP-LFR, RP-FR and R-LFR systems, the security condition (11b) is not imposed. Thus, the security keys can be dropped, i.e., instead of generating the random variables in (41) we set Therefore, with notations as in (63) and (64), by (46) and (47), we have where (Y 1,J , . . . , Y H,J ) is the MDS coded version of (Y 1,J , . . . , Y L,J ) with generator matrix G.

A. Improved Tradeoff in RP-LFR System (Proof of Theorem 4)
In RP-LFR system, the robust correctness, user-side and server-side privacy conditions are guarantted for all LFR demands. Notice that, the point Delivery Phase: The queries q [K] are generated as in (43). Let I ⊆ [K] be a subset such that the vectors q I form a maximum linear independent vector group of the vectors q [K] . Each server h ∈ [H] sends i.e., all the signals in (47). By continue with the same arguments following (47), each user can correctly decode its demanded linear combination of the files. User/Server-side Privacy: The proof that the scheme guarantees the server-side and user-side privacy conditions follow the same line of reasoning as in (51)  , and a vector p k ∈ F N q of length N . The needed memory size is given by Let rank q (q [K] ) be the rank of vectors q [K] , i.e., the cardinality of I. By (68) and (69), each server sends packets, and K vectors of length N . Notice that the worst case is rank q (q [K] ) = min{N, K}, therefore, the load is given by Gap Result: Let R LP U (M ) be the load-memory tradeoff achieved by the scheme in [8] in the single server case, where user-side privacy is guaranteed for all LFR demands, which is given by the lower convex envelope of the point (0, N ) and the following points where t ∈ [0 : K]. Notice that, for the corner points with M = 0 and M ∈ {M LP U t : t ∈ [0 : K]}, it always hold Since the corner points coincide on M , (75) hold for all M ∈ [0, N ]. Moreover,

B. Improvement in RP-FR System (Proof of Theorem 5)
In RP-FR system, the robust correctness, user-side and server-side privacy conditions are guaranteed for all FR demands. The proof of Theorem 5 follows similarly to the proof of Theorem 4 in Section VII-A, with the following distinctions.
Placement Phase: Instead of generating p 1 , . . . , p K uniformly from F N q , we let p 1 , . . . , p K generated uniformly from (x 1 , . . . , x N ) ∈ F N q : n∈[N ] x n = q − 1 . Performance: Since the queries q 1 , . . . , q K are generated as in (43) and the demands d 1 , . . . , d K ∈ {e 1 , . . . , e N }, the queries are uniformly distributed over the N −1 dimensional subspace (x 1 , . . . , x N ) ∈ F N q : n∈[N ] x n = 0 . Thus, in the worst case, rank q (q [K] ) = min{K, N − 1}. As a result, the achieved memory-load pair (M FP t , R FP t ) is given by Gap Result: Let R FP U (M ) be the lower convex envelope of the point (0, N ) and points M Then gap result directly follows from the upper bound for C. Improvement in R-LFR System (Proof of Theorem 6) In the R-LFR system, only the robust correctness condition must be guaranteed for all LFR demands. As a result, in addition to dropping the security keys (see (65)), the privacy keys can also be dropped, i.e., set to zero. In particular, the stored contents in (67b) and (67c) can be dropped, i.e., set to zero. The correctness can be easy verified by setting p 1 = . . . = p K = 0 and following the same line of reasoning as in Section VII-A. The distinctions are in performance and gap results.
Performance: In the modified scheme for R-LFR system, only the contents in (67a) are stored. The delivered signals are the same as in (68). Thus, the achieved memory-load pair is given by where t ∈ [0 : K]. The lower convex envelope of those points can be achieved by memory-sharing. Gap Result: Let R F (M ) be the lower convex envelope of the points which is proved to be achievable in the single server case for all FR demands in [3]. Following the same line of reasoning as to obtain (76), we have  (30,10,15,20), (25,20,15,20), (10,30,15,20), respectively. From the figures, we observe: 1) For N ≥ K+1+ √ 3K 2 +1 2 ( Fig. 2(a)), the MAN-PDA based scheme in the RSP-LFR system achieves the same tradeoff as that in the RP-LFR and RP-FR systems on the interval M ∈ [1, N ]. This is because: i) there is no redundant signals to be removed in RP-LFR or RP-FR; ii) the privacy keys and security keys are stored in the superposition form; iii) the lower convex envelope of (0, N ) and {(M t , R t ) : t ∈ [0 : K]} are formed by connecting (0, HN L ) and (M 0 , R 0 ), (M 1 , R 1 ), . . . , (M K , R K ) sequentially. This can be verified by letting the slope of the line connecting (0, HN L ) and (M 0 , R 0 ) be no larger than the slope of connecting (M 0 , R 0 ) and (M 1 , R 1 ), i.e., which indicates that N should satisfy N ≥ K+1+ The improved tradeoff in R-LFR system is due to the saved memory for keys for the regime M ∈ [1, N ], and there is no need to guarantee privacy by sending all coded files at M = 0 (i.e., the point (0, K) is achievable in R-LFR system).

K+1+
√ 3K 2 +1 2 , except that now there is slightly improvement in RP-LFR and RP-FR systems over the RSP-LFR system in the interval M ∈ 1, 1 + N −1 K . This improvement comes from taking the lower convex envelope with the additional point (0, HN L ) (observe that (83) does not hold). Notice that for the case N > K (Fig. 2(a) and 2(b)), all the tradeoffs are proved to be within a constant multiplicative gap of the optimal tradeoff in their respective setups.
3) For the case N ≤ K (Fig. 2(c)), the tradeoff in RP-LFR and RP-FR systems significantly smaller than that in the LSP-LFR system for small M regime, because: i) The trivial point (M, R) = (0, HN L ) can be achieved, and thus memory-sharing the other points with this point increases the performance. ii) For M ∈ {M t : t ∈ [0 : K − N ]}, some redundant signals are removed in RP-LFR and RP-FR, similarly to [3], [4]. In this case, due to the use of security keys in the RSP-LFR system, the counterpart of redundant signals in RP-LFR and RP-FR system can not be obtained from the counterpart of the transmitted signals. Notice that, the tradeoff in RP-FR is slightly better than that in the RP-LFR system, since the number of removed redundant signals in RP-FR system is K−N +1 t+1 , which is larger than that in the RP-LFR system K−N t+1 . The improvement in the R-LFR system over RP-LFR/RP-FR systems comes from the saved memory size for privacy keys.

IX. CONCLUSION
A PDA-based key superposition RSP-LFR scheme is proposed for MDS distributed storage systems that simultaneously guarantees content security against a wiretapper having access to the delivery signals and demand privacy against both servers and colluding users. The load-memory tradeoff turns out to be the single-server one scaled by the inverse of the rate of the MDS code in order to guarantee robustness against link/server failures. The performance of MAN-PDA-based RSP-LFR scheme is showed to be to within a multiplicative gap of at most eight from optimal in all regimes, except for small memory regime with less files than users. Moreover, in three less restrictive systems without the security constraint (i.e., RP-LFR, RP-FR, and R-LFR systems), some redundant signals can be removed to further improve the load-memory tradeoff, which are proved to be within a constant multiplicative gap of the optimal tradeoff in their respective setups.