On the Existence of XOR-Based Codes for Private Information Retrieval with Private Side Information

Abstract

We consider the problem of Private Information Retrieval with Private Side Information (PIR-PSI), wherein the privacy of the demand and the side information are jointly preserved. Although the capacity of the PIR-PSI setting is known, we observe that the underlying capacity-achieving code construction uses Maximum Distance Separable (MDS) codes therefore contributing to high computational complexity when retrieving the demand. Pointing at this drawback of MDS-based PIR-PSI codes, we propose XOR-based PIR-PSI codes for a simple yet non-trivial setting of two non-colluding databases and two side information files at the user. Although our codes offer substantial reduction in complexity when compared to MDS-based codes, the code-rate marginally falls short of the capacity of the PIR-PSI setting. Nevertheless, we show that our code-rate is strictly higher than that of XOR-based codes for PIR with no side information. As a result, our codes can be useful when privately downloading a file especially after having downloaded a few other messages privately from the same database at an earlier time-instant.

1. Introduction

Private Information Retrieval (PIR) deals with the design of queries to a database to provide privacy to the messages downloaded by the user. A trivial way of achieving information-theoretic privacy is to download all the messages stored in the database so that the identity of the demand, i.e., the message the user wants, will be unknown. However, it is well known that this increases the download cost substantially. Ever since the problem of PIR was first introduced in [1], various methods have been introduced to efficiently retrieve the demand with privacy, including the code constructions that achieve the capacity of the classic PIR problem [2]. Other than the capacity-achieving code constructions, several low-complexity constructions are also known [3,4] for the classic PIR problem.

Since the contribution of [2], numerous variants of the PIR problem have gained attention [5,6,7]. Among them, an important variant is the problem of PIR with side information. In this setting, the user already knows one or more messages in the database, and she uses this information to reduce the download cost compared to that without side information. The work on PIR with side information began with the cache-aided PIR in [8]. Other crucial works on PIR-SI were followed in [9,10,11,12,13]. A prominent variant of PIR with side information is the problem of PIR with private side information (PIR-PSI), wherein the privacy of both the demand and the side information are jointly preserved, i.e., the database should not know which message is being queried by the user and which side information is available at her. The application of PIR-PSI has practical significance when users must query a message privately from a database after having downloaded a few other messages privately from the same database at an earlier time-instant. Suppose a user has already queried messages A and B with full privacy. Furthermore, suppose that the same user wants to query another message C at a later point in time. One way to query C is using the capacity-achieving fully private scheme [2]. Alternatively, the user can reduce the download cost for retrieving C using A and B as the side information. This way, as the number of side information messages increases, the download cost for a particular demand can potentially decrease. For these applications, PIR-PSI protocol ensures that demand is downloaded with the help of side information, while jointly preserving the privacy of both the demand and the side information.

1.1. Existing Codes for PIR-PSI Setting and Their Limitations

A solution for PIR-PSI was first developed by Kadhe et al. in [14] for the single database setting. Chen et al. further extended it in [15] for multiple databases in colluding and non-colluding environments. Both their schemes achieved capacity; however, both the schemes for single database and multiple databases mentioned in [14,15], respectively, rely on Maximum Distance Separable (MDS) codes. From the viewpoint of implementation, it is well known that any MDS-coded scheme would have high computational complexity compared to a counterpart code that is constructed using XOR bit additions. For example, consider the code in [15] for two non-colluding databases with three messages $A,B,C$ with a length of eight bits per message. Let A be the demand and C be the side information for a particular user. As mentioned in [Section 4.1.1] in [15], the query would initially be in the form of Sun-Jafar’s capacity-achieving scheme mentioned in [2], with four bits of A retrieved out of seven bits queried from a database. This query of seven bits would be converted to an $(n=13,k=7)$ systematic MDS code, e.g., a Reed-Solomon code, and the six bits of the non-systematic part would be downloaded. With the help of the side information C, the user can retrieve four demand bits from these six bits, therefore improving the rate. Here, the encoding operation for Reed-Solomon code would require 91 finite field multiplications and 78 finite field additions, which in turn are computation-intensive tasks compared to executing four XOR bit additions in Sun-Jafar’s capacity-achieving scheme. In general, any MDS code for PIR-PSI would depend on the message length L, as seen above, and L itself depends on $N^K$ (where N is the number of databases and K is the number of messages). Therefore, the computational complexity of MDS-coded PIR-PSI codes will exponentially increase as the number of messages increases. Please note that this discussion on complexity is not related to sub-packetization of the messages, instead it is only on the arithmetic operations post sub-packetization process.

1.2. Motivation

We note that a majority of existing PIR schemes such as in [2,7,16,17,18] are XOR-based code constructions, i.e., each database returns a set of XOR combinations of bits of various files, and similarly, the user also performs corresponding XOR operations to recover the message in demand. However, when tackling the PIR-PSI problems, instead of constructing XOR-based codes, MDS code-based constructions have been presented in [14,15]. Although these MDS codes achieve the capacity of the PIR-PSI setting, from a practical viewpoint, for a large number of messages, the number of computations would become prohibitively large to create a huge latency in downloading the demand. For instance, even though a computationally powerful database may return the queries to the user after finite field computations, performing similar finite field computations on this query for recovering the message at the user is challenging if the user’s device is not computationally powerful [19,20,21,22]. Therefore, existing PIR-PSI codes are not amenable to implementation in such cases. On the other hand, using the PIR scheme of [2], which is an XOR-based code construction, is not a good idea as it would affect the rate for not exploiting the side information. With this background, we ask the question: are there PIR-PSI codes based on XOR computations with rates strictly more than the code in [2]?

1.3. Contributions

Inspired by the problem statement discussed above, we make the following contributions in this paper:

• We present the first XOR-based code construction for the PIR-PSI problem. Our code construction is applicable for the scenario when K messages, each of length $L=2^{K-1}$ bits, are replicated across $N=2$ non-colluding databases, and the user wishes to retrieve a message with $M=2$ side information at her side. Although the setting of $N=2$ databases and $M=2$ side information messages may be applicable to a specific distributed storage model, we highlight that the code contribution is non-trivial as it affirmatively answers the question posed in the motivation section, and moreover it is applicable for any K.
• Owing to the use of XOR-based queries, we show that our codes offer substantial reduction in the decoding complexity compared to the MDS-based counterparts of [15]. However, the rate of our codes marginally fall short of the capacity of the PIR-PSI problem for the setting of $N=2$ non-colluding databases with $M=2$ side information at the user (as seen in Figure 1). Nevertheless, the rates of our codes are strictly higher than that of the fully private codes [2] therefore advertising themselves as a preferred choice when privately downloading a message after having downloaded a few other messages privately from the same database at an earlier time-instant. For $N=2$ and $M=2$, a comparison between existing solutions for PIR-PSI and our solution is captured in

  Table 1. Table comparing the rate of our scheme with the capacity of PIR-PSI setting.

  Scheme	Rate	Method	Computational Complexity
  [15]	$\frac{2^{K-3}}{2^{K-2}-1}$	MDS coding	High. Exponential as
  	(higher than our code)		K increases. Finite field
  			multiplication involved.
  Our scheme	$\frac{2^{K-2}}{2^{K-1}-1}$	XOR	Low. Bit-wise XOR involved
  [2]	$\frac{2^{K-1}}{2^K-1}$	XOR	Low. Bit-wise XOR involved
  	(lower than our code)

  .
• For the proposed code construction, we prove the joint-privacy property by explicitly showing that the query to one of the databases can be fixed, and then the query to the other database can be modified in such a way that any combination of side information can be used to retrieve any demand from the two databases. This is a novel approach to physically verify the privacy of any XOR-based PIR codes.

We believe that our work opens up a wide range of new problems for investigation, such as: (i) Does the XOR constraint in the code construction reduce the rate of the codes from the capacity of PIR-PSI? (ii) Are there capacity-achieving XOR-based code construction for PIR-PSI?, if not, what is the capacity of XOR-based PIR-PSI codes?

1.4. A Sneak-Peek at Our Codes

Before formally stating the problem statement, and presenting the code construction, we present an example for our codes with $K=4$. This example serves two purposes: (i) assists the reader to verify the PIR-PSI property explicitly, and (ii) confirms that the rate is higher than the code in [2]. Consider two databases $N_1$ and $N_2$ with four messages $A,B,C$ and D of length eight bits each. Let a user want to retrieve message A with B and C as the side information.

Table 2. Query obtained as per the proposed code construction when A is the demand, and B and C are the side information.

Query to ${\mathit{N}}_1$	Query to ${\mathit{N}}_2$
$A_1$	$A_5$
$A_2+B_1$	$A_6+B_1$
$B_2+C_1$	$B_2+C_1$
$B_3+D_1$	$B_3+D_3$
$C_2+D_2$	$C_2+D_4$
$A_3+C_3+D_3$	$A_7+C_3+D_1$
$A_4+B_4+C_4+D_4$	$A_8+B_4+C_4+D_2$

shows the query obtained as per the proposed code construction to retrieve eight bits of A from using B and C as side information. In this description of the code, the notation $A_1,A_2,\dots ,A_8$ denote the eight bits of the file A. Similarly, $\left\{B_i\right|1\le i\le 8\}$, $\left\{C_i\right|1\le i\le 8\}$, and $\left\{D_i\right|1\le i\le 8\}$ denote the eight bits of the files $B,C$ and D, respectively.

To show the privacy of the code in Table 2, we fix the query to $N_1$ (that was generated when A is the demand and $B,C$ are the side information), and then generate all possible queries to $N_2$ such that any demand can be retrieved using any two side information. All possible queries to $N_2$ when D is a side information, a byproduct, and the demand, are listed in

Table 3. For a given query to $N_1$ (in the first column), all possible queries to $N_2$ when D is a side information.

Query to ${\mathit{N}}_1$	($\mathit{A},\mathit{BD},\mathit{C}$)	($\mathit{A},\mathit{CD},\mathit{B}$)	($\mathit{B},\mathit{AD},\mathit{C}$)	($\mathit{B},\mathit{CD},\mathit{A}$)	($\mathit{C},\mathit{AD},\mathit{B}$)	($\mathit{C},\mathit{BD},\mathit{A}$)
$A_1$	$A_5$	$A_5$	$A_1$	$A_2$	$A_1$	$A_3$
$A_2+B_1$	$A_6+B_1$	$A_6+B_2$	$A_2+B_5$	$A_1+B_5$	$A_2+B_2$	$A_4+B_1$
$B_2+C_1$	$B_2+C_3$	$B_1+C_3$	$B_6+C_2$	$B_6+C_2$	$B_1+C_5$	$B_2+C_5$
$B_3+D_1$	$B_3+D_1$	$B_4+D_1$	$B_7+D_1$	$B_7+D_1$	$B_4+D_1$	$B_4+D_1$
$C_2+D_2$	$C_4+D_2$	$C_4+D_2$	$C_1+D_2$	$C_1+D_2$	$C_6+D_2$	$C_6+D_2$
$A_3+C_3+D_3$	$A_7+C_1+D_3$	$A_7+C_1+D_3$	$A_3+C_4+D_3$	$A_4+C_4+D_3$	$A_3+C_7+D_3$	$A_1+C_7+D_3$
$A_4+B_4+C_4+D_4$	$A_8+B_4+C_2+D_4$	$A_8+B_3+C_2+D_4$	$A_4+B_8+C_3+D_4$	$A_3+B_8+C_3+D_4$	$A_4+B_3+C_8+D_4$	$A_2+B_3+C_8+D_4$

,

Table 4. All possible queries to $N_2$ when D is a byproduct.

Query to ${\mathit{N}}_1$	($\mathit{A},\mathit{BC},\mathit{D}$)	($\mathit{B},\mathit{AC},\mathit{D}$)	($\mathit{C},\mathit{AB},\mathit{D}$)
$A_1$	$A_5$	$A_1$	$D_2$
$A_2+B_1$	$A_6+B_1$	$A_2+B_5$	$A_1+D_3$
$B_2+C_1$	$B_2+C_1$	$B_6+C_1$	$B_1+C_5$
$B_3+D_1$	$B_3+D_3$	$B_7+D_2$	$B_2+D_4$
$C_2+D_2$	$C_2+D_4$	$C_2+D_1$	$A_2+C_6$
$A_3+C_3+D_3$	$A_7+C_3+D_1$	$A_3+C_3+D_4$	$A_3+B_3+C_7$
$A_4+B_4+C_4+D_4$	$A_8+B_4+C_4+D_2$	$A_4+B_8+C_4+D_3$	$A_4+B_4+C_8+D_1$

and

Table 5. All possible queries to $N_2$ when D is the demand.

Query to ${\mathit{N}}_1$	($\mathit{D},\mathit{BC},\mathit{A}$)	($\mathit{D},\mathit{AC},\mathit{B}$)	($\mathit{D},\mathit{AB},\mathit{C}$)
$A_1$	$D_5$	$A_1$	$C_2$
$A_2+B_1$	$D_6+B_1$	$A_2+D_5$	$A_1+C_3$
$B_2+C_1$	$B_2+C_1$	$D_6+C_1$	$B_1+D_5$
$B_3+D_1$	$B_3+A_3$	$D_7+B_2$	$B_2+C_4$
$C_2+D_2$	$C_2+A_4$	$C_2+B_3$	$A_2+D_6$
$A_3+C_3+D_3$	$D_7+C_3+A_1$	$A_3+C_3+B_4$	$A_3+B_3+D_7$
$A_4+B_4+C_4+D_4$	$D_8+B_4+C_4+A_2$	$A_4+D_8+C_4+B_2$	$A_4+B_4+D_8+C_1$

, respectively. In this context, a byproduct is a message that is neither side information nor demand. In all the three tables, the three-tuple format on the top row indicates (Demand, Side Information, Byproduct) combination for the query in that column. In each of the cases, we highlight that the structure of the queries to $N_2$ are unaltered compared to the original query to $N_2$ in Table 2.

From Table 3, Table 4 and Table 5, it is evident that from the perspective of $N_1$ the query given in Table 2 can be for any demand-side information combination. Since the structure of query at $N_2$ is exactly same as that of $N_1$, a similar reasoning can also be applied to show that for a query at $N_2$, any demand can be retrieved using any side information from $N_1$. Thus, $N_1$ and $N_2$ cannot identify the identity of the demand and the side information jointly, and hence, the scheme is jointly private.

The rest of the paper concerns the following sections. Section 2 presents the problem statement and related notations. Section 3 presents the code construction, whereas Section 4 provides the proof for joint privacy of the XOR-based codes for arbitrary values of K. Section 5 exemplifies the privacy proof for the case when $K=7$. Finally, some directions for future research are presented in Section 6. A preliminary version of this work is also available at [23].

2. Problem Statement

Consider two replicated non-colluding databases, $N_1$ and $N_2$ with K messages namely $X_1,X_2,\dots ,X_{K-1},X_K$. All the K messages are of size $L=2^{K-1}$ bits which are independent and uniformly distributed. Therefore, we denote the i-th file $X_i$ as $X_i=[X_{i,1},X_{i,2},\dots ,X_{i,L}]$. Among the K messages, let $X_{\gamma }$, for $\gamma \in \left[K\right]$, be the demand message for a user who already has $M=2$ side information messages $X_{\alpha }$ and $X_{\beta }$, such that $\alpha ,\beta \in \left[K\right]$\$\left\{\gamma \right\}$ satisfying $\alpha \ne \beta$. In this model the messages other than $X_{\gamma },X_{\alpha }$ and $X_{\beta }$ are referred to as byproducts. The user wishes to leverage the knowledge of $X_{\alpha }$ and $X_{\beta }$ to retrieve $X_{\gamma }$ by downloading fewer bits from each database compared to retrieving $X_{\gamma }$ using the scheme in [2] without using the side information. At the same time, the user also wants to jointly preserve the privacy of the demand $X_{\gamma }$ and the side information messages $X_{\alpha }$ and $X_{\beta }$, i.e., the indices $\gamma$, $\alpha$ and $\beta$ should be unknown to both databases. In the context of this work, the code for retrieving $X_{\gamma }$ should be such that each database provides the user a set of XOR additions of the bits of the K messages. This way, the user would be able to retrieve $X_{\gamma }$ by performing simple XOR bit additions on the downloaded bits while using the prior knowledge of $X_{\alpha }$ and $X_{\beta }$.

Towards constructing an XOR-based code for PIR-PSI, we make the following definitions. In order to retrieve the demand $X_{\gamma }$ using the side information $X_{\alpha }$ and $X_{\beta }$, every combination of message bits submitted to a database is referred to as codeword, the set of codewords submitted to a database is called a query, and the union of queries submitted to $N_1$ and $N_2$ is referred to as the code. When designing the codewords of a query it is important to find the right set of XOR combinations of the K message indices, and then choose the appropriate bit locations of the message indices in the XOR combinations. To formally describe the XOR combinations of the message indices, we introduce the following definitions.

Definition 1.

For a finite set $\mathcal{M}=\{M_1,M_2,\dots ,M_P\}$ containing Z distinct variables, we define a mapping Φ such that $\Phi \left(\mathcal{M}\right)={\sum }_{i=1}^Z{M}_i$ if $Z\ge 1$, and $\Phi \left(\mathcal{M}\right)=\varphi$ if $\mathcal{M}$ is empty set.

Definition 2.

With $\mathcal{X}=\{X_1,X_2,\dots ,X_K\}$, we define a power set-based skeleton structure $P\left(\mathcal{X}\right)=\{\Phi (\mathcal{V}\left)\right|\forall \mathcal{V}\in PS\left(\mathcal{X}\right)\}$, where $\Phi (·)$ is as introduced in Definition 1, and $PS\left(\mathcal{X}\right)$ is the power set of $\mathcal{X}$.

From Definition 2, it is clear that the queries (without specifying the bit locations of each message) submitted to $N_1$ and $N_2$ must be subsets of $P\left(\mathcal{X}\right)$ \$\left\{\varphi \right\}$, wherein the + operator in $\Phi$ is treated as XOR operation. Henceforth, throughout the paper, the queries submitted to $N_1$ and $N_2$ to retrieve $X_{\gamma }$ using the side information $X_{\alpha }$ and $X_{\beta }$ are denoted by ${\mathcal{C}}_1$ and ${\mathcal{C}}_2$, respectively, and the overall code is denoted by $({\mathcal{C}}_1,{\mathcal{C}}_2)$. To propose formal design criteria to choose the subsets of $P\left(\mathcal{X}\right)$ \$\left\{\varphi \right\}$ as queries, we define a singleton block in a query as the set of codewords that consist of only a single message bit. Similarly, we define an n-tuple sum block in a query, for $2\le n<K$, as the set of codewords that consist of XOR bit additions of n different messages.

2.1. Design Criteria for XOR-Based PIR-PSI Codes

For $N=2$, $M=2$ and any $K\ge 3$, let $({\mathcal{C}}_1,{\mathcal{C}}_2)$ be an XOR-based code to retrieve $X_{\gamma }$ using the side information $X_{\alpha }$ and $X_{\beta }$ The code $({\mathcal{C}}_1,{\mathcal{C}}_2)$ is said to be XOR-based PIR-PSI code if keeping the query to $N_1$ (or $N_2$) unchanged, it is possible to design a query to $N_2$ (or $N_1$) such that

• Condition 1: any demand can be retrieved from $N_1$ and $N_2$ using any two side information messages.
• Condition 2: the structure of the new query to $N_2$ (or $N_1$) is same as that of ${\mathcal{C}}_2$ (or ${\mathcal{C}}_1$), namely: (i) the number of singleton and n-tuple sum blocks is the same, for any $2\le n\le K-1$, and (ii) the frequency distribution of the message bits across all the codewords in the query is the same as that of ${\mathcal{C}}_2$ (or ${\mathcal{C}}_1$).

We take a two-step approach to design codes satisfying the above criteria. First, we present the queries of the code for a given demand $X_{\gamma }$ and a pair of side information $X_{\alpha }$ and $X_{\beta }$, and prove the correctness of the construction in retrieving $X_{\gamma }$. Subsequently, we present a rigorous proof to show that keeping the query to $N_1$ (or $N_2$) unchanged, new queries to $N_2$ (or $N_1$) can be constructed by satisfying Condition 1 and Condition 2. We show that the rate of code is more than that of [2], implying that our codes can be used when sequentially downloading files at different time-instants. The construction procedure for XOR-based PIR-PSI code is explained in the next section.

3. XOR-Based PIR Codes with Private Side Information

Among the K messages, let $X_1$ be the demand, and $X_2$ and $X_3$ be the side information. With $M=2$, our construction is applicable only for $K\ge 3$. For $K=3$, the code construction is trivial with rate one since an XOR version of all the files can be downloaded. For $K>3$, the ingredients and the instructions provided in the next two sections must be followed to obtain the queries for $N_1$ and $N_2$. Although the individual bits of the K files will be used to retrieve the L bits of $X_1$, first, our construction provides a way to place the file index in the query, and then describes a way to choose the specific bits of each file in the query. Along with the steps for ingredients and code construction, a running example for $K=4$, with messages $A,B,C,D$ is also presented, wherein A plays the role of demand, i.e., $X_1$, B and C play the role of side information, i.e., $X_2$, and $X_3$.

3.1. Ingredients and Construction Strategy

With $\mathcal{X}=\{X_1,X_2,\dots ,X_{K-1}\}$, we construct $P\left(\mathcal{X}\right)=\{\Phi (\mathcal{V}\left)\right|\forall \mathcal{V}\in PS\left(\mathcal{X}\right)\}$, where $\Phi (·)$ is as introduced in Definition 1, $PS\left(\mathcal{X}\right)$ is the power set of $\mathcal{X}$. In the context of the running example with $K=4$, we have $\mathcal{X}=\{A,B,C\}$, and therefore, $P\left(\right\{A,B,C\left\}\right)$ is given in

Table 6. $P\left(\mathcal{X}\right)$ for the running example.

$\mathit{P}\left(\right\{\mathit{A},\mathit{B},\mathit{C}\left\}\right)$
$\varphi$
A
B
C
A+B
A+C
B+C
A+B+C

.

Owing to the use of power set, the elements of $P\left(\mathcal{X}\right)$ are unique, generating a total of $2^{K-1}$ elements using $2^{K-2}$ copies of each message. Towards converting $P\left(\mathcal{X}\right)$ into a query, we will allocate distinct indices for each copy of the message, therefore resulting in $2^{K-2}$ unique bits of a message. This will ensure that the query at this stage will contain $K-1$ messages each containing $L=2^{K-2}$ bits. In order to prepare the desired query with K messages, we need to add $2^{K-2}$ copies of the message $X_K$ to the existing elements of $P\left(\mathcal{X}\right)$. In the context of the example, as seen in Table 6, 4 bits of $A,B,C$ are present in $P\left(\right\{A,B,C\left\}\right)$. Therefore, 4 copies of D should be added at different positions. In the next section, we provide a set of instructions to add $X_K$.

3.2. Algorithm for Code Construction

1. Rewrite $P\left(\{X_1,X_2,\dots ,X_{K-1}\}\right)$ as $P\left(\{X_1,X_2\}\right)$⨂$P\left(\{X_3,X_4,\cdots ,X_{K-1}\}\right)$, where ⨂ operator can be defined on two sets ${\mathcal{M}}_1$ and ${\mathcal{M}}_2$ as

$${\mathcal{M}}_1⨂{\mathcal{M}}_2=\{\alpha +\beta ,|\forall \alpha \in {\mathcal{M}}_1,\beta \in {\mathcal{M}}_2\},$$

such that $\varphi +\varphi =\varphi$, $\alpha +\varphi =\alpha$ and $\varphi +\beta =\beta$. For the example with $K=4$, it is straightforward to verify that applying ⨂ operator on $P\left(\right\{A,B\left\}\right)$ and $P\left(\right\{C\left\}\right)$, as given in

Table 7. Step 1 applied on the running example.

$\mathit{P}\left(\right\{\mathit{A},\mathit{B}\left\}\right)$	$\mathit{P}\left(\right\{\mathit{C}\left\}\right)$
$\varphi$	$\varphi$
A	C
B
A+B

, gives $P\left(\right\{A,B,C\left\}\right)$ given in Table 6.

2. From Step 1, we know that the size of $P\left(\{X_3,X_4,\cdots ,X_{K-1}\}\right)$ is $2^{K-3}$. Form a new table with two columns, namely: Column 1 and Column 2. Excluding $\varphi$, replicate the $2^{K-3}-1$ entries of $P\left(\{X_3,X_4,\cdots ,X_{K-1}\}\right)$ into two columns, therefore forming a total of $2(2^{K-3}-1)=2^{K-2}-2$ elements. For the example, $\varphi$ is removed from $P\left(\right\{C\left\}\right)$, and the remaining element is replicated into 2 columns as shown in

Table 8. Step 2 applied on the running example.

Column 1	Column 2
C	C

.

3. Add $X_K$ to all the entries of Column 1. Leave Column 2 unaltered. Through this step, out of the $2^{K-2}$ copies, $2^{K-3}-1$ copies of $X_K$ are added. For the example, the two columns are as shown in

Table 9. Step 3 applied on the running example.

Column 1	Column 2
C+D	C

.

4. Form a new table with two columns, namely: Column 1’ and Column 2’. Perform ⨂ operation between $\{\varphi ,X_1+X_2\}$ and all the entries in the two-tuple sum block and three-tuple sum block of Column 1 from Step 3, and place the result in Column 1’. Similarly, perform ⨂ operation between $\{X_1,X_2\}$ and all the entries in the singleton block and two-tuple sum block of Column 2 from Step 3, and place the result in Column 2’. In the example, only a singleton block is present, and therefore, the corresponding Column 1’ and Column 2’ are presented in

Table 10. Step 4 applied on the running example.

Column 1’	Column 2’
C+D	C+A
C+D+A+B	C+B

.

5. Skip this step if $K<=5$ since largest value of n for the n-tuple sum block is 2. This is already addressed in the previous step.

• If K = 6 or 7, perform ⨂ operation between $\{X_1,X_2\}$ and all the entries in the n-tuple sum block, for $n\in \{4,5,\dots ,K-2\}$ of Column 1, and append the result in Column 1’. Similarly, perform ⨂ operation between $\{\varphi ,X_1+X_2\}$ and all the entries in the n-tuple sum block, for $n\in \{3,4,\dots ,K-3\}$, of Column 2, and append the result in Column 2’.
• If $K>7$, perform ⨂ operation between $\{X_1,X_2\}$ and all the entries in the n-tuple sum block, for $n\in \{4,5,\dots ,K-3\}$ of Column 1, and append the result in Column 1’. Similarly, perform ⨂ operation between $\{\varphi ,X_1+X_2\}$ and all the entries in the n-tuple sum block, for $n\in \{3,4,\dots ,K-4\}$, of Column 2, and append the result in Column 2’. However, for the $(K-2)$-tuple sum block in Column 1, perform ⨂ operation with $\{\varphi ,X_1+X_2\}$ and append the result in Column 1’. Similarly, for the $(K-3)$-tuple sum block in Column 2, perform ⨂ operation $\{X_1,X_2\}$ and append the result in Column 2’.

This step is not applicable to the running example since $K=4$. At the end of this step, both Column 1’ and Column 2’ contain $2^{K-2}-2$ elements each owing to the ⨂ operation. With this, we highlight that the union of Column 1’and Column 2’ has generated $2^{K-1}-4$ elements of $P\left(\{X_1,X_2,\dots ,X_{K-1}\}\right)$. This does not include $\{\varphi ,X_1,X_2,X_1+X_2\}$ since $\varphi$ of $P\left(\{X_3,X_4,\dots ,X_{K-1}\}\right)$ was excluded when constructing Column 1 and Column 2 in Step 2. Furthermore, since $X_K$ was already added to Column 1 (containing $2^{K-3}-1$ elements), at the end of Step 5, Column 1’ contains $2^{K-2}-2$ copies of $X_K$. This implies that only two more copies of $X_K$ are to be added to ensure that each message has $2^{K-2}$ copies. In the example, Step 3 added one copy of D, and Step 4 made it two copies. Now two more copies are remaining.

6. From $\{\varphi ,X_1,X_2,X_1+X_2\}$, omit $\varphi$, and add $X_K$ to $X_2$. This generates $\{X_1,X_2+X_K,X_1+X_2\}$. Place these elements in a new column, referred to as Column 3. Please note that one more copy of $X_K$ must be added to achieve $2^{K-2}$ copies. In the example, Column 3 is given in

Table 11. Step 6 applied on the running example.

Column 3
A
B+D
A+B

.

7. Form the query to $N_1$ by taking the union of all the elements in Column 1’, Column 2’ and Column 3. By construction, this set contains $X_1+X_3$ coming from Column 2’. Therefore, add the last remaining copy of $X_K$ to $X_1+X_3$, and update it as $X_1+X_3+X_K$. Thus, we have a total of $2^{K-1}-1$ elements in this query constructed by adding $2^{K-2}$ copies of K files $\{X_1,X_2,\dots ,X_K\}$. Finally, in the query to $N_1$, provide distinct indices to every copy of a message therefore ensuring that every bit of a message is used only once. Overall, the query is a set of linear combinations of $\left\{X_{i,j}\right|i\in \left[K\right],j\in \left[L\right]\}$. In the example, the query to $N_1$ after following the above steps are given in

Table 12. Step 7 applied on the running example without indices.

Query to ${\mathit{N}}_1$ without Indices
A
$A+B$
$B+C$
$B+D$
$C+D$
$A+C+D$
$A+B+C+D$

(without indices) and

Table 13. Step 7 applied on the running example with indices.

Query to ${\mathit{N}}_1$ with Indices
$A_1$
$A_2+B_1$
$B_2+C_1$
$B_3+D_1$
$C_2+D_2$
$A_3+C_3+D_3$
$A_4+B_4+C_4+D_4$

(with indices).

Before we present the procedure to construct the query to $N_2$, we present special structures in the query defined as the known byproduct combination and the unknown byproduct combination, and then present some results on their structure. Known byproduct combination are the bit combinations of byproducts in a codeword that does not contain the demand index. Formally, if $X_1$ is the demand, $X_2,X_3$ are the side information, and the format of the codeword is $H+W$, where $H\in P\left(\{X_2,X_3\}\right)$ and $W\in P\left(\{X_4,X_5,\dots ,X_K\}\right)$\$\left\{\varphi \right\}$, then W is the known byproduct combination. Informally, this is the combination of byproduct messages that can be retrieved from the database. Unknown byproduct combinations are the bit combinations of the byproducts in a codeword that contains the demand index with or without the side information message bits. Formally, if $X_1$ is the demand, $X_2,X_3$ are the side information, and the codeword is of the form $X_1+H+W$, where $H\in P\left(\{X_2,X_3\}\right)$ and $W\in P\left(\{X_3,X_4,\dots ,X_K\}\right)$ \$\left\{\varphi \right\}$, then W is the unknown byproduct combination. Informally, this is the combination of byproduct messages that cannot be retrieved from the database due to the unknown demand index that is along with it.

Proposition 1.

If the message combination $W\in P\left(\{X_4,X_5,\dots ,X_K\}\right)$\$\left\{\varphi \right\}$ appears as an unknown byproduct in the query to $N_1$, then it also exists as a known byproduct, but with different index values on each message.

Proof. 

By definition, if W is an unknown byproduct, then it appears in the query along with the demand $X_1$. Since W may appear alone or along with the side information messages, we shall denote the query associated with the unknown byproduct as $U=X_1+f(X_2,X_3)+W$, where $f(X_2,X_3)\in \{\varphi ,X_2,X_3,X_2+X_3\}$. From the code construction, U must be equal to $X_1+X_3+X_K$ that was added in Step 7, or it must belong to either Column 1’ or Column 2’ of Step 4 and Step 5. If $U=X_1+X_3+X_K$, then the corresponding known byproduct is available in Column 3 of Step 6. However, if U is available in Column 1’, then the corresponding known byproduct is also in Column 1’ because the elements of Column 1’ are generated by performing ⨂ operation with either $\{X_1,X_2\}$ or $\{\varphi ,X_1+X_2\}$. The same argument is also applicable if U is available in Column 2’. Finally, the index values used on the known byproduct are different from that of unknown byproduct since every copy of a message is assigned different indices as per Step 7. This completes the proof.  □

8. To generate query to $N_2$, the following instructions must be followed. Copy the structure of $N_1$ as it is without the indices of bits. For the demand $X_1$, the first $2^{K-2}$ bits are already queried in $N_1$. Therefore, give the next $2^{K-2}$ numbers as the indices of $X_1$ in $N_2$. Use the same index number on each message of the side information as that of the query in $N_1$. From Proposition 1, the query to $N_1$ produces a symmetric sequence of known and unknown byproduct combinations. List the unknown and known byproduct combinations in two separate columns in the ascending order of n-tuple length following the lexicographical order and ascending order of indices of bits. For a given byproduct combination of messages in the unknown column, an identical byproduct combination exists in the known column, but with the difference that the index values used by the unknown combination is different from the known combination. To assign index values on the byproduct messages of $N_2$, for a given byproduct combination, use the index values of the unknown combination of $N_1$ on the known combination of $N_2$, and vice-versa. This ensures that all the byproduct messages can be indexed using one-to-one mapping between the unknown and the known column.

For the given example, in the fourth and fifth bit of Table 13, $D_1$ and $D_2$ are with side information, and therefore, they become the known byproduct bits. Similarly, in the sixth and seventh bit of the query to $N_1$, $D_3$ and $D_4$ are with the demand, and therefore, they become unknown byproduct bits, as listed in

Table 14. Unknown and known byproducts of the running example.

Unknown	Known
$D_3$	$D_1$
$D_4$	$D_2$

. To generate the query for $N_2$, the structure of $N_1$ is copied without the indices. The indices of the demand are $\{5,6,7,8\}$ in $N_2$. The indices of $B,C$ are maintained as they are. Based on the one-to-one mapping in Table 14, $D_3$ and $D_1$ are swapped, and so are $D_4$ and $D_2$. Finally, the query for $N_2$ is as shown in

Table 15. Final query to $N_1$ and $N_2$.

Query to ${\mathit{N}}_1$	Query to ${\mathit{N}}_2$
$A_1$	$A_5$
$A_2+B_1$	$A_6+B_1$
$B_2+C_1$	$B_2+C_1$
$B_3+D_1$	$B_3+D_3$
$C_2+D_2$	$C_2+D_4$
$A_3+C_3+D_3$	$A_7+C_3+D_1$
$A_4+B_4+C_4+D_4$	$A_8+B_4+C_4+D_2$

. This completes the code construction.

Theorem 1.

For $N=2$ and any $K>3$, with the knowledge of side information $X_2$ and $X_3$, the proposed code construction can retrieve $2^{K-2}$ bits of $X_1$ per database by downloading $2^{K-1}-1$ bits per database. Thus, the rate of the code is

$$R=\frac{2^{K-2}}{2^{K-1}-1}.$$

(1)

Proof. 

From the code construction, the query to $N_1$ and $N_2$ are obtained by adding $2^{K-2}$ bits of $X_K$ to the power set structure $P\left(\{X_1,X_2,\dots ,X_{K-1}\}\right)$\$\left\{\varphi \right\}$. Since the cardinality of $P\left(\{X_1,X_2,\dots ,X_{K-1}\}\right)$\$\left\{\varphi \right\}$ is $2^{K-1}-1$, and every message in $P\left(\{X_1,X_2,\dots ,X_{K-1}\}\right)$\$\left\{\varphi \right\}$ appears $2^{K-2}$ times, the rate of the code is as given in (1). In the rest of the proof, we show that every bit of $X_1$ can be retrieved from $N_1$ and $N_2$ using the side information. If a bit of $X_1$ appears in the form of $X_1+f(X_2,X_3)$ either in $N_1$ or $N_2$, where $f(X_2,X_3)\in \{\varphi ,X_2,X_3,X_2+X_3\}$, then this bit can be retrieved since $X_1$ and $X_2$ are known. On the other hand, if a bit of $X_1$ appears in the form of $X_1+f(X_2,X_3)+W$ on database $N_1$ (or $N_2$), where $W\in P\left(\{X_4,X_5,\dots ,X_K\}\right)$\$\left\{\varphi \right\}$, then from Step 8 of the code construction this bit can also be retrieved using the side information and the corresponding known byproduct of W, which is downloaded from $N_2$ (or $N_1$). This completes the proof.  □

The above theorem provided the proof for correctness to retrieve $X_1$ using $X_2$ and $X_3$ as the side information, for any $K>3$. In the next section, we show that the proposed codes satisfy the joint-privacy criteria in Section 2.1.

4. Proof for Joint Privacy of XOR-Based PIR-PSI Codes

Our approach is to use the code construction that is designed for the case when $X_1$ is the demand and $X_2,X_3$ are the side information messages. Using this code, we fix the query submitted to $N_1$, and then show by construction that a query to $N_2$ can be generated in such a way that any demand can be retrieved from the two databases using any two messages as the side information. Considering the case of arbitrary values of K, constructions are provided in three parts, namely:

• By fixing $X_K$ as one of the side information messages, we show that a query to $N_2$ can be synthesized such that any two messages out of the remaining $K-1$ messages can play the role of the demand and the other side information.
• With $X_K$ as the demand, we show that a query to $N_2$ can be synthesized such that any two messages out of the remaining $K-1$ messages play the role of side information.
• By fixing $X_K$ as one of the byproducts, we show that a query to $N_2$ can be synthesized such that any three messages out of the remaining $K-1$ messages can play the role of the demand and two side information.

We start with the construction when $X_K$ is a side information. Since the code construction is presented by adding $2^{K-2}$ copies of $X_K$ to $P\left(\{X_1,X_2,\dots ,X_{K-1}\}\right)$\$\left\{\varphi \right\}$, the privacy proof for this case is directly dependent on the power set structure of $P\left(\{X_1,X_2,\dots ,X_{K-1}\}\right)$\$\left\{\varphi \right\}$. Given the power set structure, for any $K-3$ byproducts bits, the known and the unknown byproduct combinations in the query to $N_1$ are symmetric. As a result, the query submitted to $N_2$ must follow the same structure as that of $N_1$ except that (i) the index values of the demand will change from $2^{K-2}+1$ to $2^{K-1}$ instead of 1 to $2^{K-2}$, (ii) the known and unknown byproduct combinations are swapped similar to the proposed construction, and (iii) the index values of all the side information can be retained as they were in $N_1$. The method used for constructing query to $N_2$ under this case is summarized in the first row of

Table 16. Instructions to obtain query at $N_2$ when $X_K$ is either SI or demand.

No.	Case	Transformation	Manipulations
1	$X_K$ as SI	None	Swap the known and unknown
			byproducts to obtain query at $N_2$.
2	$X_K$ as demand,	None	Swap the known and unknown
	$X_1{X}_3$ or $X_2{X}_3$ are SI		byproducts to obtain query at $N_2$.
3	$X_K$ as demand	Pick query at	Swap the singleton bit $X_1$
	$X_1{X}_i$ are SI	$N_1$ and apply	and the bit $X_3$ from
	$2\le i\le K-1$, $i\ne 3$	$X_i\rightleftharpoons X_3$	the two-tuple sum $X_3+X_K$
4	$X_K$ as demand	Pick query at	$X_3+X_K$⇒$X_2+X_K$
	$X_2{X}_i$ are SI	$N_1$ and apply	$X_2$⇒$X_K$
	$4\le i\le K-1$	$X_1{X}_3$⇌$X_2{X}_i$	$X_2+X_1+X_i+X_K$⇒$X_2+X_1+X_i+X_3$
5	$X_K$ as demand	Pick query at	If $i=4$ and $K\le 7$, perform the following:
	$X_3{X}_i$ are SI	$N_1$ and apply	$X_4$⇒$X_K$, $X_2+X_4$⇒$X_3+X_4$, $X_2+X_3$⇒$X_5+X_3$,
	$4\le i\le K-1$	$X_1$⇒$X_4$	$X_2+X_6$⇒$X_5+X_6$, $X_2+X_K$⇒$X_4+X_K$,$X_5+X_K$⇒
			$X_5+X_1$, $X_6+X_K$⇒$X_6+X_3$, $X_4+X_1+X_5$⇒
			$X_4+X_1+X_2$, $X_4+X_5+X_6$⇒$X_4+X_K+X_6$,
			$X_3+X_1+X_5$⇒$X_2+X_K+X_5$, $X_3+X_1+X_6$⇒
			$X_2+X_K+X_4$, $X_3+X_1+X_K$⇒$X_2+X_K+X_3$,
			$X_3+X_5+X_6$⇒$X_3+X_2+X_4$, $X_3+X_6+X_K$⇒
			$X_2+X_6+X_K$, $X_4+X_2+X_3+X_K$⇒$X_1+X_5+X_3+X_K$,
			$X_4+X_2+X_1+X_K$⇒$X_1+X_2+X_6+X_4$,
			$X_4+X_2+X_5+X_K$⇒$X_4+X_2+X_5+X_6$,
			$X_4+X_2+X_6+X_K$⇒$X_4+X_1+X_6+X_K$,
			$X_4+X_2+X_1+X_5+X_6$⇒$X_4+X_3+X_1+X_5+X_6$,
			$X_4+X_1+X_5+X_6+X_K$⇒$X_3+X_1+X_5+X_6+X_K$,
			$X_4+X_3+X_1+X_5+X_6+X_K$⇒
			$X_4+X_2+X_1+X_5+X_6+X_K$. For $i\ne 4$ and $K\le 7$
			apply $X_4\rightleftharpoons X_i$ to the query obtained after transformation
			in column 3 and perform the manipulations mentioned above.
			For $K>7$, rearrange the query in column 3 such a way that
			the first $2^{K-2}-1$ codewords do not contain $X_t$ where
			$t=max\left(\right\{4,5,\dots ,K-1\left\}\right),t\ne i$. Perform manipulations on
			these codewords by the steps proposed under the same
			scenario, but by treating the message set as
			$\{X_1,X_2,\dots ,X_K\}$ \$\left\{X_t\right\}$. For the remaining $2^{K-2}$ codewords
			perform the following: Perform manipulations on all codewords
			of the form $X_t+Q+X_K$, where
			$Q\in P(\{X_1,X_2,\dots ,X_{K-1}\}$ \$\left\{X_t\right\})$ \$\left\{\varphi \right\}$ similar to the steps
			proposed under the same scenario of $K-1$ messages,
			i.e., perform the same manipulations done to the codewords of
			the form $X_{t-1}+Q^{\prime }+X_{K-1}$, where
			$Q^{\prime }\in P(\{X_1,X_2,\dots ,X_{K-2}\}$ \$\left\{X_{t-1}\right\})$ \$\left\{\varphi \right\}$ when number of
			messages was $K-1$. Similarly, the manipulations performed
			for the codewords of the form $X_{t-1}+Q^{\prime }$ when number of
			messages was $K-1$ should be repeated for all codewords of
			the form $X_t+Q$. If $K=8$, perform the following (else skip):
			$X_1+X_m+X_n+X_o+U\rightleftharpoons$$X_m+X_n+X_o+U$ and
			$X_2+X_m+X_n+X_o+U$$\rightleftharpoons X_1+X_2+X_m+X_n+X_o+U$,
			where $U\in$ $P\left(\{X_3,X_i\}\right)$, $4\le m,n,o\le K-1,m\ne n\ne o\ne i$.
6	$X_K$ as demand	Pick query at	$X_p+X_q+X_1$⇒$X_q+X_3+X_1$
	$X_p{X}_q$ are SI	$N_2$ obtained	$X_1+X_t+X_3+X_K$⇒$X_1+X_t+X_p+X_K$
	$4\le p,q\le K-1$	from case 5	where $X_t$ is some byproduct
	$p\ne q$	$X_3{X}_i\rightleftharpoons X_p{X}_q$	other than $X_1$ and $X_3$.

.

When $X_K$ is the demand message, for any given combination of the side information, i.e., $X_i{X}_j$ such that $i\ne j$ and $i,j\in \left[K\right]$\$\left\{K\right\}$, we first list the corresponding known and unknown byproduct combinations using the existing query at $N_1$. Please note that these byproduct combinations will involve the bits of messages other than that of $X_K,X_i,X_j$. Subsequently, we pick the query submitted to $N_1$, and then apply a suitable transformation between $\{X_1,X_2,X_3\}$ and $\{X_1,X_2,\dots ,X_{K-1}\}$ such that the known and the unknown byproduct combinations of the modified query are symmetric. Finally, if the known (or the unknown) byproduct combination in the query to $N_1$ is available as an unknown (or known) byproduct in the modified query, we swap their indices, otherwise, we perform suitable modifications to the modified query such that the demand $X_K$ can be retrieved. Given that the proposed code construction is applicable when $X_1$ is the demand and $X_2,X_3$ are the side information, the same set of transformations is applicable on the query to $N_1$ for the side information messages within the following classes, namely: (i) the side information is one of $\{X_1{X}_2,X_2{X}_3\}$, (ii) the side information is one of $\left\{X_1{X}_i\right|2\le i\le K-1,i\ne 3\}$, (iii) the side information is one of $\left\{X_2{X}_i\right|3\le i\le K-1\}$, (iv) the side information is one of $\left\{X_3{X}_i\right|4\le i\le K-1\}$, and (v) the side information is one of $\left\{X_i{X}_j\right|4\le i,j\le K-1,i\ne j\}$. For each of these cases, the set of transformations that must be carried on the query submitted to $N_1$ is presented in the third column of Table 16, whereas the set of manipulations that must be applied after the transformation is listed in the fourth column of Table 16. It is important to note that after applying the transformations in the third column, a subset of the unknown and known byproduct combinations of the query to $N_1$ would be symmetric with that of the transformed query. On those subsets, the known and unknown byproduct combinations must be swapped similar to the case when $X_K$ plays the role of a side information.

Finally, when $X_K$ is a byproduct, for a given demand and side information messages, we propose a sequence of transformations between the messages in the query to $N_1$ to ensure that the known and the unknown byproduct combinations match as much as that with that of the query to $N_1$. For the cases when the known and unknown byproduct combinations do not match, we propose modifications on the transformed query to retrieve all the bits of the demand.

Table 17. Instructions to obtain query at $N_2$ when $X_K$ one of the byproducts.

No.	Case	Transformation	Manipulations
9	$X_1$ as demand, $X_2{X}_i$	None	Swap the known and unknown
	are SI, $3\le i\le K-1$		byproducts to obtain query at $N_2$.
10	$X_1$ as demand, $X_p{X}_q$	Pick query at	None
	are SI, $3\le p,q\le K-1$	$N_2$ obtained
	$p\ne q$	from case 5
		$X_3{X}_i\rightleftharpoons X_p{X}_q$
		$X_1\rightleftharpoons X_K$
11	$X_2$ as demand, $X_1{X}_i$	None	Swap the known and unknown
	are SI, $3\le i\le K-1$		byproducts to obtain query at $N_2$.
12	$X_2$ as demand, $X_p{X}_q$	Pick query at	None
	are SI, $3\le p,q\le K-1$	$N_2$ obtained
	$p\ne q$	from case 5
		$X_3{X}_i\rightleftharpoons X_p{X}_q$
		$X_2\rightleftharpoons X_K$
13	$X_3$ as demand	Pick query at	None
	$X_1{X}_i$ are SI	$N_2$ obtained
	$2\le i\le K-1$, $i\ne 3$	from Case 3
		$X_3\rightleftharpoons X_K$
14	$X_3$ as demand	Pick query at	None
	$X_2{X}_i$ are SI	$N_2$ obtained
	$4\le i\le K-1$, $i\ne 3$	from Case 4
		$X_3\rightleftharpoons X_K$
15	$X_3$ as demand	Pick query at	$X_i+X_j\Rightarrow$$X_K+X_j$, $X_K+X_1\Rightarrow$$X_K+X_i$, $X_K+X_2\Rightarrow$
	$X_i{X}_j$ are SI	$N_2$ obtained	$X_3+X_2$, $X_K+X_3+X_2\Rightarrow$$X_j+X_3+X_2$,
	$4\le i,j\le K-1$, $i\ne j$	from Case 10	$X_2+X_K+X_j+X_3\Rightarrow X_1+X_4+X_i+X_3$,
		$X_2\rightleftharpoons X_3$	$X_j+X_1+X_4+X_3\Rightarrow X_j+X_1+X_2+X_K$
			$X_j+X_i+X_1+X_2+X_3\Rightarrow X_1+X_K+X_2+X_4+X_j$
			$X_j+X_K+X_i+X_1+X_2+X_4\Rightarrow$
			$X_1+X_2+X_K+X_3+X_i+X_j$
16	$X_{\delta }$ as demand, $X_i{X}_j$	None	Swap the known and unknown
	are SI, $4\le \delta \le K-1$		byproducts to obtain query at $N_2$.
	$1\le i\le 2,2\le j\le K-1,$
	$i\ne j,i,j\ne \delta$
17	$X_{\delta }$ as demand, $X_p{X}_q$	Pick query at	None
	are SI, $4\le \delta \le K-1,$	$N_2$ obtained
	$3\le p,q\le K-1$, $p\ne q$	from case 5
	$p,q\ne \delta$	$X_3{X}_i\rightleftharpoons X_p{X}_q$
		$X_{\delta }\rightleftharpoons X_K$
18	$X_{\delta }$ as demand, $X_p{X}_q$	Pick query at	$X_1+X_{\delta }\Rightarrow X_2+X_{\delta }$, $X_2+X_{\delta }+X_p\Rightarrow X_1+X_K+X_{\delta }$,
	are SI, $4\le \delta \le K-1,$	$N_2$ obtained	$X_1+X_K+X_q\Rightarrow X_1+X_q+X_p$
	$4\le p,q\le K-1$, $p\ne q$	from case 5
	$p,q\ne \delta$	$X_3{X}_i\rightleftharpoons X_p{X}_q$
		$X_{\delta }\rightleftharpoons X_K$

lists the instructions to obtain the query at $N_2$ for the case when $X_K$ is one of the byproducts.

In both Table 16 and Table 17, the operator ⇌ represents swapping the elements on either side of the ⇌ operator, i.e., swap all the position of element in left hand side of ⇌ with the one in its right-hand side in the given query. For example, $A\rightleftharpoons B$ implies that swap all positions of A and B in the given query. If the ⇌ operator has two juxtaposed elements in either side, swap first and second element of the left side with first and second element of the right side, respectively. Similarly, the operator ⇒ represents the replacement of the codeword in the left of the ⇒ operator with the one in the right. For example, $A+B\Rightarrow C+D$ implies replacing the codeword $A+B$ with $C+D$ in the given query. In summary, the first row of Table 16, shows that when $X_K$ is a side information, any demand can be retrieved with any side information pair in $N_2$ while keeping the query at $N_1$ unaltered and making necessary changes in $N_2$ without altering the structure of code in $N_1$. Similarly, Table 16 and Table 17 show that the same is possible when $X_K$ is the demand and $X_K$ is one of the byproducts, respectively. This shows that the query obtained from the code construction algorithm in Section 3 can be used to retrieve any demand with any pair of side information in $N_2$ while keeping the query at $N_1$ unaltered.

Please note that Table 16 and Table 17 only provide the instructions to obtain the queries to $N_2$ for any demand-side information combination keeping the query at $N_1$ fixed. However, the correctness of the joint-privacy proof follows from the fact that the instructions for any particular demand-side information combination retraces back to the structure of query at $N_1$, which was proved to be correct in Theorem 1.

5. Proof for Joint Privacy for the Code with $\mathit{K}=\mathbf{7}$

In this section, we demonstrate the joint-privacy proof using our code with $K=7$ as presented in

Table 18. Query to $N_1$ and $N_2$ as per our code construction.

Query to ${\mathit{N}}_1$	Query to ${\mathit{N}}_2$
$A_1$	$A_{33}$
$A_2+B_1$	$A_{34}+B_1$
$A_3+D_1$	$A_{35}+D_2$
$A_4+E_1$	$A_{36}+E_2$
$A_5+F_1$	$A_{37}+F_2$
$B_2+C_1$	$B_2+C_1$
$B_3+D_2$	$B_3+D_1$
$B_4+E_2$	$B_4+E_1$
$B_5+F_2$	$B_5+F_1$
$B_6+G_1$	$B_6+G_6$
$C_2+G_2$	$C_2+G_{13}$
$D_3+G_3$	$D_{16}+G_{14}$
$E_3+G_4$	$E_{16}+G_{15}$
$F_3+G_5$	$F_{16}+G_{16}$
$A_6+C_3+D_4$	$A_{38}+C_3+D_7$
$A_7+C_4+E_4$	$A_{39}+C_4+E_7$
$A_8+C_5+F_4$	$A_{40}+C_5+F_7$
$A_9+C_6+G_6$	$A_{41}+C_6+G_1$
$A_{10}+D_5+E_5$	$A_{42}+D_8+E_8$
$A_{11}+D_6+F_5$	$A_{43}+D_9+F_8$
$A_{12}+E_6+F_6$	$A_{44}+E_9+F_9$
$B_7+C_7+D_7$	$B_7+C_7+D_4$
$B_8+C_8+E_7$	$B_8+C_8+E_4$
$B_9+C_9+F_7$	$B_9+C_9+F_4$
$B_{10}+D_8+E_8$	$B_{10}+D_5+E_5$
$B_{11}+D_9+F_8$	$B_{11}+D_6+F_5$
$B_{12}+E_9+F_9$	$B_{12}+E_6+F_6$
$C_{10}+D_{10}+E_{10}$	$C_{10}+D_{18}+E_{18}$
$C_{11}+D_{11}+F_{10}$	$C_{11}+D_{19}+F_{18}$
$C_{12}+D_{12}+G_7$	$C_{12}+D_{20}+G_{17}$
$C_{13}+E_{11}+F_{11}$	$C_{13}+E_{19}+F_{19}$
$C_{14}+E_{12}+G_8$	$C_{14}+E_{20}+G_{18}$
$C_{15}+F_{12}+G_9$	$C_{15}+F_{20}+G_{19}$
$D_{13}+E_{13}+F_{13}$	$D_{21}+E_{21}+F_{21}$
$D_{14}+E_{14}+G_{10}$	$D_{22}+E_{22}+G_{20}$
$D_{15}+F_{14}+G_{11}$	$D_{23}+F_{22}+G_{21}$
$E_{15}+F_{15}+G_{12}$	$E_{23}+F_{23}+G_{22}$
$A_{13}+B_{13}+C_{16}+G_{13}$	$A_{45}+B_{13}+C_{16}+G_2$
$A_{14}+B_{14}+D_{16}+G_{14}$	$A_{46}+B_{14}+D_3+G_3$
$A_{15}+B_{15}+E_{16}+G_{15}$	$A_{47}+B_{15}+E_3+G_4$
$A_{16}+B_{16}+F_{16}+G_{16}$	$A_{48}+B_{16}+F_3+G_5$
$C_{17}+D_{17}+E_{17}+F_{17}$	$C_{17}+D_{30}+E_{30}+F_{30}$
$A_{17}+B_{17}+C_{18}+D_{18}+E_{18}$	$A_{49}+B_{17}+C_{18}+D_{10}+E_{10}$
$A_{18}+B_{18}+C_{19}+D_{19}+F_{18}$	$A_{50}+B_{18}+C_{19}+D_{11}+F_{10}$
$A_{19}+B_{19}+C_{20}+D_{20}+G_{17}$	$A_{51}+B_{19}+C_{20}+D_{12}+G_7$
$A_{20}+B_{20}+C_{21}+E_{19}+F_{19}$	$A_{52}+B_{20}+C_{21}+E_{11}+F_{11}$
$A_{21}+B_{21}+C_{22}+E_{20}+G_{18}$	$A_{53}+B_{21}+C_{22}+E_{12}+G_8$
$A_{22}+B_{22}+C_{23}+F_{20}+G_{19}$	$A_{54}+B_{22}+C_{23}+F_{12}+G_9$
$A_{23}+B_{23}+D_{21}+E_{21}+F_{21}$	$A_{55}+B_{23}+D_{13}+E_{13}+F_{13}$
$A_{24}+B_{24}+D_{22}+E_{22}+G_{20}$	$A_{56}+B_{24}+D_{14}+E_{14}+G_{10}$
$A_{25}+B_{25}+D_{23}+F_{22}+G_{21}$	$A_{57}+B_{25}+D_{15}+F_{14}+G_{11}$
$A_{26}+B_{26}+E_{23}+F_{23}+G_{22}$	$A_{58}+B_{26}+E_{15}+F_{15}+G_{12}$
$A_{28}+C_{25}+D_{25}+F_{24}+G_{24}$	$A_{60}+C_{25}+D_{28}+F_{27}+G_{28}$
$A_{29}+C_{26}+E_{25}+F_{25}+G_{25}$	$A_{61}+C_{26}+E_{28}+F_{28}+G_{29}$
$A_{30}+D_{26}+E_{26}+F_{26}+G_{26}$	$A_{62}+D_{29}+E_{29}+F_{29}+G_{30}$
$B_{27}+C_{27}+D_{27}+E_{27}+G_{27}$	$B_{27}+C_{27}+D_{24}+E_{24}+G_{23}$
$B_{28}+C_{28}+D_{28}+F_{27}+G_{28}$	$B_{28}+C_{28}+D_{25}+F_{24}+G_{24}$
$B_{29}+C_{29}+E_{28}+F_{28}+G_{29}$	$B_{29}+C_{29}+E_{25}+F_{25}+G_{25}$
$B_{30}+D_{26}+E_{26}+F_{26}+G_{26}$	$B_{30}+D_{29}+E_{29}+F_{29}+G_{30}$
$A_{31}+B_{31}+C_{30}+D_{30}+E_{30}+F_{30}$	$A_{63}+B_{31}+C_{30}+D_{17}+E_{17}+F_{17}$
$A_{32}+C_{31}+D_{31}+E_{31}+F_{31}+G_{31}$	$A_{64}+C_{31}+D_{32}+E_{32}+F_{32}+G_{32}$
$B_{32}+C_{32}+D_{32}+E_{32}+F_{32}+G_{32}$	$B_{32}+C_{32}+D_{31}+E_{31}+F_{31}+G_{31}$

. We choose $K=7$ for this demonstration since using $K<7$ will not cover all the cases mentioned in Table 16 and Table 17. On the other hand, using $K>7$ as an example is not feasible for exposition due to large queries, of length 127 and beyond. In this example, the letter G will play the role of $X_K$, whereas the letters $A,B,C,\dots ,F$ play the role of $X_1,X_2,\dots ,X_{K-1}$, respectively. The objective of this section is to show the execution of instructions presented in Table 16 and Table 17.

5.1. G as a Side Information

Recall that the queries for $K>3$, $M=2$ is formed by adding $2^{K-2}$ copies of $X_K$ (in this case G for $K=7$) to $P\left(\{X_1,X_2,\dots ,X_{K-1}\}\right)$\$\left\{\varphi \right\}$ (in this case the power set structure $P\left(\right\{A,B,C,D,E,F\left\}\right)$\$\left\{\varphi \right\}$). Since G is the side information, it can be removed from downloaded bits, and therefore, the privacy proof of the code is directly dependent on the structure of $P\left(\right\{A,B,C,D,E,F\left\}\right)$\$\left\{\varphi \right\}$. For any given demand and any side information from the remaining five messages, structure of $P\left(\right\{A,B,C,D,E,F\left\}\right)$\$\left\{\varphi \right\}$ guarantees that the known byproduct combinations and the unknown byproduct combinations in the query to $N_1$ are symmetric. Hence, the query submitted to $N_2$ follows the same structure as that of $N_1$ except that

• The index values of the demand will change from 33 to 64 instead of 1 to 32.
• The known and unknown byproduct combinations are swapped similar to the proposed construction.
• The index values of all the side information can be retained as they were in $N_1$.

5.2. G as the Demand

When G is the demand, the two side information messages can come from $\{A,B,\dots ,E,F\}$ in $\left(\genfrac{}{}{0pt}{}{K-1}{2}\right)$ = $\left(\genfrac{}{}{0pt}{}{6}{2}\right)$ = 15 ways. The 15 combinations are $\{AB,AC,AD,AE,AF,BC,BD,BE,BF,CD,CE,CF,DE,DF,EF\}$, implying that the two letters juxtaposed next to each other are the side information messages. These 15 combinations are grouped into five different types, namely: $\{AC,BC\}$, $\{AB,AD,AE,AF\}$, $\{BD,BE,BF\}$, $\{CD,CE,CF\}$ and $\{DE,DF,EF\}$. The reason for this classification is attributed to the fact that the query to $N_1$ was constructed assuming A as the demand and $B,C$ as the side information, and therefore, when we have to design the new query to $N_2$, it should match with the existing query to $N_1$.

5.2.1. One of $\{AC,BC\}$ as Side Information and G as the Demand

When either $AC$ or $BC$ are the side information messages, the known and unknown byproduct combinations are symmetric. With the side information $AC$, the pattern of unknown and known byproduct combinations without the indices are given in

Table 19. Pattern of unknown-known byproducts for SI $AC$.

Unknown	Known
B	B
B	B
D	D
D	D
E	E
E	E
F	F
F	F
B+D	B+D
B+D	B+D
B+E	B+E
B+E	B+E
B+F	B+F
B+F	B+F
D+E	D+E
D+E	D+E
D+F	D+F
D+F	D+F
E+F	E+F
E+F	E+F
B+D+E	B+D+E
B+D+E	B+D+E
B+D+F	B+D+F
B+D+F	B+D+F
B+E+F	B+E+F
B+E+F	B+E+F
D+E+F	D+E+F
D+E+F	D+E+F
B+D+E+F	B+D+E+F
B+D+E+F	B+D+E+F

. Therefore, the demand G can be retrieved by swapping the indices of the known and unknown byproduct combinations. Similar to the code construction, when submitting the query to $N_2$, the indices on side information must be the same, whereas the indices of the demand on $N_2$ must be new.

In the case when $BC$ are the side information messages, the pattern of the known and the unknown byproduct combinations remains symmetric, and therefore, the query to $N_2$ is similar to that when $AC$ were the side information messages. The only exception is that the role of A and B is swapped as A becomes a byproduct and B becomes a side information. Thus, all the bits of G can be retrieved from both databases without altering the structure of query to $N_1$ when one of $\{AC,BC\}$ are the side information messages.

5.2.2. One of $\{AB,AD,AE,AF\}$ as Side Information and G as the Demand

In the case when one of $\{AB,AD,AE,AF\}$ are the side information, the known and unknown byproduct combinations are almost symmetric with one exception that a singleton bit of byproduct C goes to the unknown side from the known side. For instance, when $AB$ are the side information, the known and unknown byproduct combinations are as shown in the first two columns of

Table 20. Pattern of unknown-known byproducts for SI $AB$ and after B⇌C.

Unknown	Known	Unknown FOR B ⇌ C	Known FOR B ⇌ C
C
C		C	C
C	C	C	C
D	D	D	D
D	D	D	D
E	E	E	E
E	E	E	E
F	F	F	F
F	F	F	F
C+D	C+D	C+D	C+D
C+D	C+D	C+D	C+D
C+E	C+E	C+E	C+E
C+E	C+E	C+E	C+E
C+F	C+F	C+F	C+F
C+F	C+F	C+F	C+F
D+E	D+E	D+E	D+E
D+E	D+E	D+E	D+E
D+F	D+F	D+F	D+F
D+F	D+F	D+F	D+F
E+F	E+F	E+F	E+F
E+F	E+F	E+F	E+F
C+D+E	C+D+E	C+D+E	C+D+E
C+D+E	C+D+E	C+D+E	C+D+E
C+D+F	C+D+F	C+D+F	C+D+F
C+D+F	C+D+F	C+D+F	C+D+F
C+E+F	C+E+F	C+E+F	C+E+F
C+E+F	C+E+F	C+E+F	C+E+F
D+E+F	D+E+F	D+E+F	D+E+F
D+E+F	D+E+F	D+E+F	D+E+F
C+D+E+F	C+D+E+F	C+D+E+F	C+D+E+F
C+D+E+F	C+D+E+F	C+D+E+F	C+D+E+F

. Therefore, the query to $N_2$ should somehow accommodate this extra unknown bit without changing the structure. To construct a query to $N_2$, we use the query to $N_1$ and make appropriate modifications as discussed hereafter. For exposition, we take the case when $AB$ are the side information. We already know that the query to $N_1$ gives a symmetric known-unknown byproduct combinations for side information $AC$ and demand G. We pick the query submitted to $N_1$, and propose a simple transformation of B⇌C, i.e., swapping all positions of B with C, to generate a new query. Due to the transformation, it is clear that this new query gives a symmetric known-unknown byproduct combinations when G is the demand and $AB$ are the side information. This pattern of unknown and known byproduct combinations are shown in the third and the fourth columns of Table 20.

We now provide modifications on the new query after the transformation B⇌C so that we can use as our query to $N_2$. To help this cause, the original query to $N_1$ for $K=7$ (without indices) is numbered from 1 to 63 for each codeword in Table 18. Since one bit of C moved to the unknown side from the known side in the existing query to $N_1$, we pick the new query (after the transformation) and then swap the singleton bit A (at bit number 1) and the bit C from the two-tuple sum $C+G$ (bit number 10). This ensures that the extra unknown bit C is retrieved in bit number 1 while still being able to retrieve the demand G bit in bit number 10 since A is a side information. This sequence of operations from taking a copy of the query to $N_1$, the transformation of B⇌C, and the final exchange in bit positions 1 and 10 are displayed in the last three columns of

Table 21. Final query to $N_2$ given in the fourth column.

Bit Number	${\mathit{N}}_1$	B⇌C	${\mathit{N}}_2$
1	A	A	C
2	A+B	A+C	A+C
3	A+D	A+D	A+D
4	A+E	A+E	A+E
5	A+F	A+F	A+F
6	B+C	C+B	C+B
7	B+D	C+D	C+D
8	B+E	C+E	C+E
9	B+F	C+F	C+F
10	B+G	C+G	A+G
11	C+G	B+G	B+G
12	D+G	D+G	D+G
13	E+G	E+G	E+G
14	F+G	F+G	F+G
15	A+C+D	A+B+D	A+B+D
16	A+C+E	A+B+E	A+B+E
17	A+C+F	A+B+F	A+B+F
18	A+C+G	A+B+G	A+B+G
19	A+D+E	A+D+E	A+D+E
20	A+D+F	A+D+F	A+D+F
21	A+E+F	A+E+F	A+E+F
22	B+C+D	C+B+D	C+B+D
23	B+C+E	C+B+E	C+B+E
24	B+C+F	C+B+F	C+B+F
25	B+D+E	C+D+E	C+D+E
26	B+D+F	C+D+F	C+D+F
27	B+E+F	C+E+F	C+E+F
28	C+D+E	B+D+E	B+D+E
29	C+D+F	B+D+F	B+D+F
30	C+D+G	B+D+G	B+D+G
31	C+E+F	B+E+F	B+E+F
32	C+E+G	B+E+G	B+E+G
33	C+F+G	B+F+G	B+F+G
34	D+E+F	D+E+F	D+E+F
35	D+E+G	D+E+G	D+E+G
36	D+F+G	D+F+G	D+F+G
37	E+F+G	E+F+G	E+F+G
38	A+B+C+G	A+C+B+G	A+C+B+G
39	A+B+D+G	A+C+D+G	A+C+D+G
40	A+B+E+G	A+C+E+G	A+C+E+G
41	A+B+F+G	A+C+F+G	A+C+F+G
42	C+D+E+F	B+D+E+F	B+D+E+F
43	A+B+C+D+E	A+C+B+D+E	A+C+B+D+E
44	A+B+C+D+F	A+C+B+D+F	A+C+B+D+F
45	A+B+C+D+G	A+C+B+D+G	A+C+B+D+G
46	A+B+C+E+F	A+C+B+E+F	A+C+B+E+F
47	A+B+C+E+G	A+C+B+E+G	A+C+B+E+G
48	A+B+C+F+G	A+C+B+F+G	A+C+B+F+G
49	A+B+D+E+F	A+C+D+E+F	A+C+D+E+F
50	A+B+D+E+G	A+C+D+E+G	A+C+D+E+G
52	A+B+E+F+G	A+C+E+F+G	A+C+E+F+G
53	A+C+D+E+G	A+B+D+E+G	A+B+D+E+G
54	A+C+D+F+G	A+B+D+F+G	A+B+D+F+G
55	A+C+E+F+G	A+B+E+F+G	A+B+E+F+G
56	A+D+E+F+G	A+D+E+F+G	A+D+E+F+G
57	B+C+D+E+G	C+B+D+E+G	C+B+D+E+G
58	B+C+D+F+G	C+B+D+F+G	C+B+D+F+G
59	B+C+E+F+G	C+B+E+F+G	C+B+E+F+G
60	B+D+E+F+G	C+D+E+F+G	C+D+E+F+G
61	A+B+C+D+E+F	A+C+B+D+E+F	A+C+B+D+E+F
62	A+C+D+E+F+G	A+B+D+E+F+G	A+B+D+E+F+G
63	B+C+D+E+F+G	C+B+D+E+F+G	C+B+D+E+F+G

. The rows of Table 21 indicated in red are the ones that are modified. Thus, the last column of this table forms the query to $N_2$ when $AB$ are the side information. Of course, swapping of the known-unknown byproducts indices is required wherever they are symmetric.

In general, when handling the other cases of $\{AD,AE,AF\}$ as the side information, the procedure for obtaining query for $N_2$ is similar to that when $AB$ is the side information. We pick the query submitted to $N_1$ and perform the transformation of C with $D,E,F$ for the cases $AD,AE,AF$, respectively. The modifications made to the new query after the transformation is the same as that when $AB$ were the side information. Finally, the bit numbers would change according to the new position of codeword $C+G$.

5.2.3. One of $\{BD,BE,BF\}$ as Side Information and G as the Demand

In the case when one of $\{BD,BE,BF\}$ are the side information, the known and unknown byproduct combinations are almost symmetric with two exceptions that a two-tuple sum of byproduct combination, $A+C$ goes to the unknown side from the known side while a bit of byproduct A goes to the known side from the unknown side. For instance, when $BD$ are the side information, the known and unknown byproduct combinations are as shown in the first two columns of

Table 22. Pattern of unknown and known byproducts for SI $BD$ and after A⇌B and C⇌D.

Unknown	Known	Unknown FOR A ⇌ B $\mathit{C}$⇌$\mathit{D}$	Known FOR A ⇌ B $\mathit{C}$⇌$\mathit{D}$
	A
	A	A	A
A	A	A	A
C	C	C	C
C	C	C	C
E	E	E	E
E	E	E	E
F	F	F	F
F	F	F	F
A+C	A+C
A+C		A+C	A+C
A+C		A+C	A+C
A+E	A+E	A+E	A+E
A+E	A+E	A+E	A+E
A+F	A+F	A+F	A+F
A+F	A+F	A+F	A+F
C+E	C+E	C+E	C+E
C+E	C+E	C+E	C+E
C+F	C+F	C+F	C+F
C+F	C+F	C+F	C+F
E+F	E+F	E+F	E+F
E+F	E+F	E+F	E+F
A+C+E	A+C+E	A+C+E	A+C+E
A+C+E	A+C+E	A+C+E	A+C+E
A+C+F	A+C+F	A+C+F	A+C+F
A+C+F	A+C+F	A+C+F	A+C+F
A+E+F	A+E+F	A+E+F	A+E+F
A+E+F	A+E+F	A+E+F	A+E+F
C+E+F	C+E+F	C+E+F	C+E+F
C+E+F	C+E+F	C+E+F	C+E+F
A+C+E+F	A+C+E+F	A+C+E+F	A+C+E+F
A+C+E+F	A+C+E+F	A+C+E+F	A+C+E+F

. Therefore, the query to $N_2$ should somehow accommodate these deviations without changing the structure. To construct a query to $N_2$, we use the query to $N_1$ and make appropriate modifications as discussed hereafter. For exposition, we take the case when $BD$ are the side information. We already know that the query to $N_1$ gives a symmetric known-unknown byproduct combinations for side information $AC$ and demand G. We pick the query submitted to $N_1$, and perform a transformation of A⇌B and C⇌D, to generate a new query. Due to the transformation, it is clear that this new query gives a symmetric known-unknown byproduct combinations when G is the demand and $BD$ are the side information. This pattern of unknown and known byproduct combinations are shown in the third and the fourth columns of Table 22.

Since a bit of $A+C$ is moved to the unknown side from the known side in the existing query to $N_1$, there is only one known bit of $A+C$ available to retrieve G. But the query after transformation uses 2 bits of $A+C$ (bit number 39 and 45) to retrieve 2 bits of G as seen in the third column of

Table 23. Final query to $N_2$ given in the fourth column.

Bit Number	${\mathit{N}}_1$	A⇌B, C⇌D	${\mathit{N}}_2$
1	A	B	G
2	A+B	B+A	B+A
3	A+D	B+C	B+C
4	A+E	B+E	B+E
5	A+F	B+F	B+F
6	B+C	A+D	A+D
7	B+D	A+C	A+C
8	B+E	A+E	A+E
9	B+F	A+F	A+F
10	B+G	A+G	A+G
11	C+G	D+G	D+G
12	D+G	C+G	B+G
14	F+G	F+G	F+G
15	A+C+D	B+D+C	B+D+C
16	A+C+E	B+D+E	B+D+E
17	A+C+F	B+D+F	B+D+F
18	A+C+G	B+D+G	B+D+G
19	A+D+E	B+C+E	B+C+E
20	A+D+F	B+C+F	B+C+F
21	A+E+F	B+E+F	B+E+F
22	B+C+D	A+D+C	A+D+C
23	B+C+E	A+D+E	A+D+E
24	B+C+F	A+D+F	A+D+F
25	B+D+E	A+C+E	A+C+E
26	B+D+F	A+C+F	A+C+F
27	B+E+F	A+E+F	A+E+F
28	C+D+E	D+C+E	D+C+E
29	C+D+F	D+C+F	D+C+F
30	C+D+G	D+C+G	D+C+G
31	C+E+F	D+E+F	D+E+F
32	C+E+G	D+E+G	D+E+G
33	C+F+G	D+F+G	D+F+G
34	D+E+F	C+E+F	C+E+F
35	D+E+G	C+E+G	C+E+G
36	D+F+G	C+F+G	C+F+G
37	E+F+G	E+F+G	E+F+G
38	A+B+C+G	B+A+D+G	B+A+D+C
39	A+B+D+G	B+A+C+G	B+A+C+G
40	A+B+E+G	B+A+E+G	B+A+E+G
41	A+B+F+G	B+A+F+G	B+A+F+G
42	C+D+E+F	D+C+E+F	D+C+E+F
43	A+B+C+D+E	B+A+D+C+E	B+A+D+C+E
44	A+B+C+D+F	B+A+D+C+F	B+A+D+C+F
45	A+B+C+D+G	B+A+D+C+G	B+A+D+C+G
46	A+B+C+E+F	B+A+D+E+F	B+A+D+E+F
47	A+B+C+E+G	B+A+D+E+G	B+A+D+E+G
48	A+B+C+F+G	B+A+D+F+G	B+A+D+F+G
49	A+B+D+E+F	B+A+C+E+F	B+A+C+E+F
50	A+B+D+E+G	B+A+C+E+G	B+A+C+E+G
51	A+B+D+F+G	B+A+C+F+G	B+A+C+F+G
52	A+B+E+F+G	B+A+E+F+G	B+A+E+F+G
53	A+C+D+E+G	B+D+C+E+G	B+D+C+E+G
54	A+C+D+F+G	B+D+C+F+G	B+D+C+F+G
55	A+C+E+F+G	B+D+E+F+G	B+D+E+F+G
56	A+D+E+F+G	B+C+E+F+G	B+C+E+F+G
57	B+C+D+E+G	A+D+C+E+G	A+D+C+E+G
58	B+C+D+F+G	A+D+C+F+G	A+D+C+F+G
59	B+C+E+F+G	A+D+E+F+G	A+D+E+F+G
60	B+D+E+F+G	A+C+E+F+G	A+C+E+F+G
61	A+B+C+D+E+F	B+A+D+C+E+F	B+A+D+C+E+F
62	A+C+D+E+F+G	B+D+C+E+F+G	B+D+C+E+F+G
63	B+C+D+E+F+G	A+D+C+E+F+G	A+D+C+E+F+G

. Since we have one extra bit of A available, to obtain the extra bit of $A+C$, the bit $C+G$ in bit number 12 is replaced with bit $B+G$. G is still retrievable since B is side information. The bit of C freed from bit number 12 along with extra bit of A contributes to the second $A+C$ bit. Since one more B is added to the query, the singleton bit of B is replaced with demand bit G as seen in bit number 1 in the table below. Since one extra demand bit is retrieved, the bit number 38 is changed from $B+A+D+G$ to $B+A+D+C$ so that the extra unknown bit of $A+C$ is also acquired. Since one bit of C was removed in bit number 12, this change will bring back the uniform distribution of bits while keeping the structure of query at $N_2$ maintained as that of $N_1$. This sequence of operations from taking a copy of the query to $N_1$, the transformation of A⇌B and C⇌D, and the final exchange in bit positions 1, 12, and 38 are displayed in the last three columns of Table 23. Thus, the last column of this table forms the query to $N_2$ when $BD$ are the side information. Of course, swapping of the known-unknown byproducts indices is required wherever they are symmetric.

In general, when handling the other cases of $\{BE,BF\}$ as the side information, the procedure for obtaining query for $N_2$ is similar to that when $BD$ were the side information. We pick the query submitted to $N_1$ and perform the transformation between A with B, and then between C and E (or F), for $BE$ (or $BF$) as the side information. The modifications made to the new query after the transformation when $BD$ were the side information can be reproduced to retrieve G from $N_2$.

5.2.4. One of $\{CD,CE,CF\}$ as Side Information and G as the Demand

In the case when one of $\{CD,CE,CF\}$ are the side information, there is a drastic change in the known and unknown byproduct combinations compared to the previous cases when of G is the demand. For instance, when $CD$ are the side information the singleton bits of byproducts A and B are unknown only one time whereas they are known for three times. The two-tuple sum block combinations of byproducts except $A+B$ are unknown only one time but are known three times whereas $A+B$ is unknown three times but known only one time. All the three-tuple sum blocks combinations of byproducts are unknown three times while they are known only once. The four-tuple sum block combinations of byproducts are known three times while they are unknown only once. The known and unknown byproduct combinations are as shown in

Table 24. Pattern of unknown and known byproducts for SI $CD$.

Unknown	Known
A	A
B	A
E	A
E	B
E	B
F	B
F	E
F	F
A+B	A+B
A+B	A+E
A+B	A+E
A+E	A+E
A+F	A+F
B+E	A+F
B+F	A+F
E+F	B+E
A+B+E	B+E
A+B+E	B+E
A+B+E	B+F
A+B+F	B+F
A+B+F	B+F
A+B+F	E+F
A+E+F	E+F
A+E+F	E+F
A+E+F	A+B+E
B+E+F	A+B+F
B+E+F	A+E+F
B+E+F	B+E+F
A+B+E+F	A+B+E+F
	A+B+E+F
	A+B+E+F

.

The query to $N_2$ should somehow accommodate these deviations without changing the structure. To construct a query to $N_2$, we use the query to $N_1$ and make appropriate modifications as discussed hereafter. For exposition, we take the case when $CD$ are the side information. We already know that the query to $N_1$ gives a symmetric known-unknown byproduct combinations for side information $AC$ and demand G. We pick the query submitted to $N_1$, and perform the transformation A⇌D, to generate a new query. Due to the transformation, it is clear that this new query gives a symmetric known-unknown byproduct combinations when G is the demand and $CD$ are the side information. Since one bit of $A+B$ moves towards the unknown side from the known side, there is only one bit of $A+B$ available in known bits to retrieve G. But the new query after transformation uses 2 bits of $A+B$ (bit number 39 and 43) to retrieve 2 bits of G as seen in the third column of

Table 25. Final query to $N_2$ given in the fourth column.

Bit Number	${\mathit{N}}_1$	A⇌D	${\mathit{N}}_2$
1	A	D	G
2	A+B	D+B	D+C
3	A+D	D+A	D+A
4	A+E	D+E	D+E
5	A+F	D+F	D+F
6	B+C	B+C	E+C
7	B+D	B+A	B+A
8	B+E	B+E	B+E
9	B+F	B+F	E+F
10	B+G	B+G	D+G
11	C+G	C+G	C+G
12	D+G	A+G	A+G
13	E+G	E+G	E+A
14	F+G	F+G	F+C
15	A+C+D	D+C+A	D+C+A
16	A+C+E	D+C+E	D+C+E
17	A+C+F	D+C+F	D+C+F
18	A+C+G	D+C+G	D+C+G
19	A+D+E	D+A+E	D+A+B
20	A+D+F	D+A+F	D+A+F
21	A+E+F	D+E+F	D+G+F
22	B+C+D	B+C+A	B+C+A
23	B+C+E	B+C+E	B+C+E
24	B+C+F	B+C+F	B+C+F
25	B+D+E	B+A+E	B+A+E
26	B+D+F	B+D+F	B+D+F
27	B+E+F	B+E+F	B+E+F
28	C+D+E	C+A+E	B+G+E
29	C+D+F	C+A+F	B+D+G
30	C+D+G	C+A+G	C+B+G
31	C+E+F	C+E+F	C+B+D
32	C+E+G	C+E+G	C+E+G
33	C+F+G	C+F+G	B+F+G
34	D+E+F	A+E+F	A+E+F
35	D+E+G	A+E+G	A+E+G
36	D+F+G	A+F+G	A+F+G
37	E+F+G	E+F+G	E+F+G
38	A+B+C+G	D+B+C+G	A+E+C+G
39	A+B+D+G	D+B+A+G	A+B+F+D
40	A+B+E+G	D+B+E+G	D+B+E+F
41	A+B+F+G	D+B+F+G	D+A+F+G
42	C+D+E+F	C+A+E+F	C+A+E+F
43	A+B+C+D+E	D+B+C+A+E	D+B+C+A+E
44	A+B+C+D+F	D+B+C+A+F	D+B+C+A+F
45	A+B+C+D+G	D+B+C+A+G	D+B+C+A+G
46	A+B+C+E+F	D+B+C+E+F	D+B+C+E+F
47	A+B+C+E+G	D+B+C+E+G	D+B+C+E+G
48	A+B+C+F+G	D+B+C+F+G	D+B+C+F+G
49	A+B+D+E+F	D+B+A+E+F	D+C+A+E+F
51	A+B+D+F+G	D+B+A+F+G	D+B+A+F+G
52	A+B+E+F+G	D+B+E+F+G	D+B+E+F+G
53	A+C+D+E+G	D+C+A+E+G	D+C+A+E+G
54	A+C+D+F+G	D+C+A+F+G	D+C+A+F+G
55	A+C+E+F+G	D+C+E+F+G	D+C+E+F+G
56	A+D+E+F+G	D+A+E+F+G	C+A+E+F+G
57	B+C+D+E+G	B+C+A+E+G	B+C+A+E+G
58	B+C+D+F+G	B+C+A+F+G	B+C+A+F+G
59	B+C+E+F+G	B+C+E+F+G	B+C+E+F+G
60	B+D+E+F+G	B+A+E+F+G	B+A+E+F+G
61	A+B+C+D+E+F	D+B+C+A+E+F	D+B+C+A+E+F
62	A+C+D+E+F+G	D+C+A+E+F+G	D+B+A+E+F+G
63	B+C+D+E+F+G	B+C+A+E+F+G	B+C+A+E+F+G

. This is rectified by swapping bit G in bit number 39 with F, therefore retrieving the extra bit of $A+B+F$ required in the unknown while removing the necessity of second known bit of $A+B$. This increments and decrements the bit count (total number of bits of a message) of F and G respectively by 1. The extra bit of $A+B$ required is obtained by swapping bit E in the bit number 19 with B since all the two-tuple sum combinations except $A+B$ are unknown only once. This increments and decrements the bit count of B and E respectively by 1. Since the bit $A+F$ is unknown only once, the bit number 29, which is the second query for $A+F$ is changed to $B+D+G$ to use the extra known bit B along with side information D to retrieve G. This neutralises the differences occurred in bit count of F and G and also increments the bit count of B and D and decrements the bit count of A and C respectively by 1. B has a net increment of 2 in the bit count. This increment of D and decrement of C is neutralised in bit number 56 by swapping D with C. Now the four-tuple sum bit $A+B+E+F$ is known three times and is unknown only once. Therefore B and side information C are swapped in bit numbers 49 and 62. Bit number 49, which was initially querying a bit of $A+B+E+F$ will now query the extra unknown bit of $A+E+F$. Bit number 62 was supposed to be the second query for G bit using $A+E+F$ but all the three-tuple sum bits have only one known bit. This $A+E+F$ is replaced by the extra known bit of $A+B+E+F$. The extra unknown bit of three-tuple sum bit $B+E+F$ is retrieved by swapping G with F in bit number 40. This increments and decrements the bit count of F and G respectively by 1. Bit numbers 15 and 23 which queries the second bit A and $B+E$ respectively are together used to retrieve the extra unknown bit of $A+B+E$ since A and $B+E$ are unknown only once. Bit numbers 57–59 uses three-tuple sums $A+B+E,A+B+F$ and $B+E+F$ to retrieve G for the second time but they are known only once. Therefore, these bits are obtained by combining the bits $\{A,B+E\}$, $\{A,B+F\}$ and $\{B,E+F\}$ since A, B and all the two-tuple sum blocks except $A+B$ are known one extra time. $B+D$ of bit number 38 is replaced with $A+E$ and B of bit number 41 is replaced with A so that the extra two-tuple sum bits, $A+E$ and $A+F$ will be used to retrieve G. This neutralises the bit count of B and E while increments the bit count of A by 2 and decrements the bit count of D by 1. Since bit count of A was already lagging 1 bit behind, this step increases it by 2 bits to give a net increment of 1 for A. C of bit number 33 is replaced with B and $C+A$ of bit number 28 is replaced with $B+G$ so that the extra two-tuple sum bits, $B+E$ and $B+F$ will be used to retrieve G. This neutralises the bit count of G and A while decrements the bit count of D by 1. This also increments and decrements the bit count of B and C respectively by 2. The B from bit number 10 is swapped with side information D, while D itself in bit number 1 is swapped with G. The G bit and B bit of bit numbers 14 and 2 are swapped with C to obtain the second unknown bit of F and therefore neutralising $B,C$ and G. B is swapped with E in both bit numbers 6 and 9 to retrieve extra unknown bit E and only unknown bit of $E+F$. This increments and decrements the bit count of E and B respectively by 2. E in bit numbers 21 and 31 are swapped with G and B respectively and F in bit number 31 is swapped with D to retrieve extra unknown bit of F and only unknown bit of B. This neutralises $D,E$ and F while incrementing B and G one time with B with a net decrement of 1 bit. G of bit number 13 is swapped with A to retrieve the only known bit of $A+E$ while A of bit number 30 is swapped with the last known bit of B to retrieve G which neutralises the bit count of B and G and achieving the uniform distribution of bits while keeping the structure of query at $N_2$ maintained as that of $N_1$. This sequence of operations from taking a copy of the query to $N_1$, the transformation of A⇌D, and the final exchange in bit positions are displayed in the last three columns of Table 25. Thus, the last column of this table forms the query to $N_2$ when $CD$ are the side information. Of course, swapping of the known-unknown byproducts indices is required wherever they are symmetric.

In general, when handling the other cases of $\{CE,CF\}$ as the side information, the procedure for obtaining query for $N_2$ is similar to that when $CD$ are the side information. We pick the query submitted to $N_1$ and perform the transformation between A with D. The modifications made to the new query after transformation when $CD$ were the side information can be reproduced to retrieve G from $N_2$.

5.2.5. One of $\{DE,DF,EF\}$ Is the Side Information and G Is the Demand

Compared to the previous case (Section 5.2.4), this case has one more singleton bit of A going to the known side from the unknown side and one bit of $A+C$ going from the known side to the unknown side for all side information from $\{DE,DF,EF\}$. A minor modification to the previous code for $N_2$ seen in Table 25 can incorporate the change required. Since the fourth column of Table 25 gave the query to $N_2$ for demand G and side information $CD$, swap $CD$ with the desired side information from $\{DE,DF,EF\}$ to obtain a new query. Since one more A goes to the known side, all 4 bits of A are known. Therefore, a side information in the bit number 15 in the fourth column of Table 25 which queries the only unknown A can be replaced with C to make it retrieve $A+C$. Bit number 38 which retrieves G using $A+C$ can be now used to retrieve G using the fourth known A bit by swapping C with the side information swapped before. Therefore, all bits of G can be retrieved from both databases when one of $\{DE,DF,EF\}$ is the side information without altering the structure of query from $N_1$.

5.3. G as a Byproduct

G can be byproduct in (the demand can come from $\{A,B,C,D,E,F\}$ in $\left(\genfrac{}{}{0pt}{}{K-1}{1}\right)$ = $\left(\genfrac{}{}{0pt}{}{6}{1}\right)$ = 6) × (the 2 side information messages can come from $\{A,B,C,D,E,F\}$−$Demand$ in $\left(\genfrac{}{}{0pt}{}{K-2}{2}\right)$ = $\left(\genfrac{}{}{0pt}{}{5}{2}\right)$ = 10) = 6 × 10 = 60 ways. This is subdivided into 4 different cases.

5.3.1. A Is the Demand

When A is the demand and $BC$ are the side information, the known and unknown byproduct combinations are symmetric. The demand can be retrieved similar to the operation mentioned in step 8 of the code construction in Section 3. Now when one of $\{BD,BE,BF\}$ are the side information there is a small difference from symmetry. In the unknown side one singleton bit of C and G is removed (does not go to the known side) and one bit of $C+G$ is added to unknown (is not removed from known). The structure of code remains the same as that of $N_1$ since the C and G of the extra unknown $C+G$ bit can be obtained from the individual querying itself since one singleton bit of C and G is removed from unknown. Now when one of $\{CD,CE,CF\}$ are the side information, the known and unknown byproduct combinations are similar to the case when G was the demand and one of $\{CD,CE,CF\}$ were the side information (Section 5.2.4). A simple transformation of A⇌G in the code structure provided in Section 5.2.4 will provide the necessary query to $N_2$. Now when one of $\{DE,DF,EF\}$ is the side information, the known and unknown byproduct combinations are similar to the case of $\{CD,CE,CF\}$ with a small difference. The difference is same as $\{BD,BE,BF\}$ case, in the unknown side one singleton bit of C and G is removed (does not go to the known side) and one bit of $C+G$ is added to unknown (is not removed from known). The structure of code remains the same as $\{CD,CE,CF\}$ since the C and G of the extra unknown $C+G$ bit can be obtained from the individual querying itself since one singleton bit of C and G is removed from unknown. This completes all side information cases for A as a demand and G as one of the byproducts. Therefore, all cases with A as a demand is retrievable.

5.3.2. B Is the Demand

When B is the demand, the cases are similar to A as the demand except for the side information set $\{DE,DF,EF\}$. When B is the demand and $AC$ are the side information, the known and unknown byproduct combinations are symmetric. The demand can be retrieved similar to the operation mentioned in step 8 of the code construction in Section 3. Now when one of $\{AD,AE,AF\}$ are the side information there is a small difference from symmetry. In the unknown side one singleton bit of C and G is removed (does not go to the known side) and one bit of $C+G$ is added to unknown (is not removed from known). The structure of code remains the same as that of $N_1$ since the C and G of the extra unknown $C+G$ bit can be obtained from the individual querying itself since one singleton bit of C and G is removed from unknown. Now when one of $\{CD,CE,CF\}$ are the side information, the known and unknown byproduct combinations are similar to the case when G was the demand and one of $\{CD,CE,CF\}$ were the side information (Section 5.2.4). A simple transformation of B⇌G in the code structure provided in Section 5.2.4 will provide the necessary query to $N_2$. Now when one of $\{DE,DF,EF\}$ is the side information, the known and unknown byproduct combinations are similar to the case when G was the demand and one of $\{DE,DF,EF\}$ were the side information (Section 5.2.5) with a small difference. The unknown bit $A+C$ is replaced with just A while the known bit $A+G$ is replaced with $A+C+G$. When G was the demand and one of $\{CD,CE,CF\}$ were the side information, for obtaining second known bit of $A+B+E$ we had to combine individual bits of A and $B+E$ as explained in Section 5.2.4. Similar operation was performed for $A+B+C$ in Section 5.2.5. Since second $A+C+G$ (which is analogous of $A+B+C$ from Section 5.2.5) bit is available as known, we can use it directly to query demand B therefore freeing individual bits of A and $C+G$. Now this free known bit $C+G$ is used in place of retrieving B with singleton G. This frees a singleton G and this along with the singleton A freed before is used to retrieve B with bit $A+G$ (since the only known $A+G$ was converted to $A+C+G$). Finally, the query bit that retrieves $A+C$ is now used to retrieve the new unknown A bit. This completes all side information cases for B as a demand and G as one of the byproducts. Therefore, all cases with B as a demand is retrievable.

5.3.3. C Is the Demand

When C is the demand and one of $\{AB,AD,AE,AF\}$ are the side information, the known and unknown byproduct combinations are similar to the case when G was the demand and one of $\{AB,AD,AE,AF\}$ were the side information (Section 5.2.2). The query for $N_2$ can be obtained similar to that case with a transformation of C⇌G. When one of $\{BD,BE,BF\}$ are the side information, the known and unknown byproduct combinations are similar to the case when G was the demand and one of $\{BD,BE,BF\}$ were the side information (Section 5.2.3). The query for $N_2$ can be obtained similar to that case with a transformation of C⇌G. When one of $\{DE,DF,EF\}$ are the side information, the known and unknown byproduct combinations is similar to the one when B was the demand and one of $\{DE,DF,EF\}$ were the side information (Section 5.3.2) with some minor differences. In the unknown side, one bit of $A+G$ is removed while one bit of A and 2 bits of G are included. In the known side 2 bits of $B+G$ are replaced by just B while one bit of $A+B$ is replaced by $A+B+G$. For instance, when $EF$ are the side information, the known and unknown byproduct combinations are as shown in the first two columns of

Table 26. Pattern of unknown and known byproducts for SI $EF$.

Unknown	Known
A	A
A	A
B	A
B	A
B	B
D	B
D	B
D	G
G	G
G	G
G	D
A+G	A+B
A+G	B+G
B+G	D+G
A+B	D+G
D+G	D+G
A+D	A+D
B+D	A+D
A+B+G	A+D
A+B+G	B+D
A+B+G	B+D
A+D+G	B+D
A+D+G	A+B+G
A+D+G	A+B+G
B+D+G	A+B+G
B+D+G	A+D+G
B+D+G	B+D+G
A+B+D	A+B+D
A+B+D	A+B+D+G
A+B+D	A+B+D+G
A+B+D+G	A+B+D+G

.

The query to $N_2$ should somehow accommodate these deviations without changing the structure. For exposition, we take the case when $EF$ are the side information. To construct a query to $N_2$, we use the query to $N_2$ from Table 25 and make appropriate modifications as discussed hereafter. To this query we perform the transformation $CD$⇌$EF$, to generate a new query. To this query we perform the modifications mentioned as in the case of G as the demand and one of $\{DE,DF,EF\}$ as the side information to obtain a new query. To this query we perform a transformation B⇌G to obtain a new query. To this query we perform the modifications mentioned as in the case of B as the demand and one of $\{DE,DF,EF\}$ as the side information to obtain a new query. Please note that this query is exactly the query to $N_2$ for the case of B as the demand and $EF$ are the side information. To this query we perform a transformation of B⇌C as seen in third column of

Table 27. Final query to $N_2$ given in the fourth column.

Bit Number	${\mathit{N}}_1$	B⇌C	${\mathit{N}}_2$
1	A	C	C
2	A+B	F+E	F+G
3	A+D	F+A	F+A
4	A+E	F+B	F+B
5	A+F	F+D	F+D
6	B+C	B+E	B+E
7	B+D	G+A	G+E
8	B+E	G+B	C+B
9	B+F	B+D	B+D
10	B+G	F+C	F+C
11	C+G	E+C	E+C
12	D+G	A+C	A+C
13	E+G	E+A	E+A
14	F+G	D+E	D+E
15	A+C+D	E+B+A	E+B+A
16	A+C+E	F+E+B	F+E+B
17	A+C+F	F+E+D	F+E+D
18	A+C+G	F+E+C	F+E+C
19	A+D+E	F+A+G	F+A+G
20	A+D+F	F+A+D	F+A+D
21	A+E+F	F+C+D	F+C+D
22	B+C+D	G+E+A	G+E+A
23	B+C+E	G+E+B	G+E+B
24	B+C+F	G+E+D	G+E+D
25	B+D+E	G+A+B	G+A+B
26	B+D+F	G+F+D	G+F+D
27	B+E+F	G+B+D	G+B+D
28	C+D+E	G+C+B	F+C+B
29	C+D+F	G+F+C	G+F+C
30	C+D+G	E+G+C	E+G+C
31	C+E+F	E+G+F	E+G+F
32	C+E+G	E+B+C	E+B+C
33	C+F+G	G+D+C	G+D+C
34	D+E+F	A+B+D	A+B+D
35	D+E+G	A+B+C	A+B+C
37	E+F+G	B+D+C	B+D+C
38	A+B+C+G	B+G+F+C	A+D+E+C
39	A+B+D+G	A+G+D+F	A+G+D+F
40	A+B+E+G	F+G+B+D	F+G+B+D
41	A+B+F+G	F+A+D+C	F+A+B+G
42	C+D+E+F	E+A+B+D	E+A+B+D
43	A+B+C+D+E	F+G+E+A+B	F+G+E+A+B
44	A+B+C+D+F	F+G+E+A+D	F+G+E+A+D
45	A+B+C+D+G	F+G+E+A+C	F+G+E+A+C
46	A+B+C+E+F	F+G+E+B+D	F+G+E+B+D
47	A+B+C+E+G	F+G+E+B+C	F+G+E+B+C
48	A+B+C+F+G	F+G+E+D+C	F+G+E+D+C
49	A+B+D+E+F	F+E+A+B+D	F+E+A+B+D
50	A+B+D+E+G	F+G+A+B+C	F+G+A+B+C
51	A+B+D+F+G	F+G+A+D+C	F+G+A+D+C
52	A+B+E+F+G	F+G+B+D+C	F+G+B+D+C
53	A+C+D+E+G	F+E+A+B+C	A+G+B+D+F
54	A+C+D+F+G	F+E+A+D+C	F+E+A+D+C
55	A+C+E+F+G	F+E+B+D+C	F+E+B+D+C
56	A+D+E+F+G	E+A+B+D+C	E+A+B+D+C
57	B+C+D+E+G	G+E+A+B+C	G+E+A+B+C
58	B+C+D+F+G	G+E+A+D+C	G+E+A+D+C
59	B+C+E+F+G	G+E+B+D+C	G+E+B+D+C
60	B+D+E+F+G	G+A+B+D+C	G+A+B+D+C
61	A+B+C+D+E+F	F+G+E+A+B+D	A+B+G+C+E+F
62	A+C+D+E+F+G	F+G+A+B+D+C	F+G+A+B+D+C
63	B+C+D+E+F+G	G+E+A+B+D+C	G+E+A+B+D+C

. Please note that the third column of Table 27 is not obtained by direct transformation of B⇌C in $N_1$. Rather, it is obtained after the execution of various steps as discussed earlier. Since one bit of $A+G$ is removed from the unknown, bit number 7 which was initially querying $A+G$ can now be used to query one extra bit of G. Bit number 2 which was just a combination of side information $E+F$ can be used to query second extra bit of G. Bit number 8 and 28 are modified to query C with two extra known singleton B bits since one $B+G$ bit in known set is removed. Since bit number 8 which queried $B+G$ which was required to obtain third bit of unknown $A+B+G$ is modified, the third bit of $A+B+G$ is queried by modifying bit number 38. This modification removes the retrieval of one bit of demand using $A+D$. This is neutralised by modifying bit number 41 to remove query of demand with $B+G$ (since 2 bits of $B+G$ was removed from known set) and replace it with $A+D$. Since this $A+B+G$ is queried directly, A retrieved in bit number 11 which was supposed to be the A in $A+B+G$ can be now used to retrieve the extra singleton bit A which came to the unknown side. Finally, bit number 53 which was the bit that used $A+B$ to query C can now be used to query $A+B+D+G$ (since one bit of $A+C$ is removed from known) while bit number 61 which was initially supposed to query $A+B+D+G$ is now used to retrieve C with the extra $A+B+G$ bit that is available in the known set. Query to $N_1$, the transformation of B⇌C to query of $N_2$ for the case of B as the demand and $EF$ are the side information, and the final exchange in bit positions are displayed in the last three columns of Table 27. Thus, the last column of this table forms the query to $N_2$ when $EF$ are the side information and C is the demand.

In general, when handling the other cases of $\{DE,DF\}$ as the side information, the procedure for obtaining query for $N_2$ is similar to that when $EF$ are the side information. We pick the query submitted to $N_2$ for the case of B as the demand and $\{DE,DF\}$ as the side information respectively and perform the transformation between B with C. The modifications made to the new query after transformation when $EF$ were the side information can be reproduced to retrieve B from $N_2$.

5.3.4. One of $\{D,E,F\}$ Is the Demand

When one of $\{D,E,F\}$ is the demand, the known and unknown byproduct combinations are symmetric if either A or B is one of the side information. The demand can be retrieved similar to the operation mentioned in step 8 of the code construction in Section 3. For other side information pairs which does not have either A or B in side information, the known and unknown byproduct combinations are same as the previous case where C was the demand and one of $\{DE,DF,EF\}$ were side information with two exceptions. One bit of A goes to the unknown side while one bit of $A+G$ comes to the known side. For exposition let us consider D as the demand. To obtain the query for $N_2$, perform the transformation of C⇌D to the query for $N_2$ in Table 27. To this new query, use any bit that queries $A+G$ to query A. Use any bit that retrieves D using A to retrieve D using $A+G$.

In general, when handling the other cases of $\{E,F\}$ as the demand, pick the query submitted to $N_2$ for the case of C as the demand and $\{DE,DF,EF\}$ as the side information respectively and perform the transformation between C with demand. The modifications made to the new query after transformation when D was the demand can be reproduced to retrieve demand from $N_2$. This completes all side information cases when one of $\{D,E,F\}$ is the demand and G is one of the byproducts. Therefore, all cases with one of $\{D,E,F\}$ as the demand are retrievable.

6. Discussion and Directions for Future Work

In this work, we have presented the first XOR-based code construction for a PIR-PSI setting involving $N=2$ databases and $M=2$ side information. We have shown that our codes achieve the rate $\frac{2^{K-2}}{2^{K-1}-1}$. Although our code construction marginally falls short of the capacity of PIR-PSI setting, it offers substantial reduction in the decoding complexity when compared to the MDS counterpart (which achieves the capacity). This implies that our codes are applicable when multiple files have to be downloaded by a user at different time-instants from the two databases. We believe that this work can be extended in one of the following directions, namely: (i) How to construct XOR-based PSR-PSI codes for $N=2$ non-colluding databases with arbitrary values of M side information messages? (ii) How to construct XOR-based PSR-PSI codes for arbitrary values of N and M? and finally, (iii) Do XOR-based PIR-PSI codes exist that achieve the capacity of the PSR-PSI setting? Importantly, we have shown that our codes provide rates strictly higher than the capacity of PIR schemes. Among the above set of questions posed for future research, we believe that solving (iii) is challenging. A probable reason for the fall in rate for XOR-based code constructions is the XOR constraint itself. In the simplest setting of $K=4$, the capacity is $\frac{2}{3}$. To achieve this rate, the query must consist of 3 codewords satisfying the criteria in Section 2.1 such that 2 of them retrieve the demand. Using exhaustive search, we observe that this scenario is hard to begin with, and therefore, we believe that the problem is challenging for arbitrary values of K.