Amos Fiat - Academia.edu (original) (raw)

Papers by Amos Fiat

Lecture Notes in Computer Science, 1998

In this paper we give deterministic competitive k-server algorithms for all k and all metric spac... more In this paper we give deterministic competitive k-server algorithms for all k and all metric spaces. This settles the k-server conjecture [MMS] up to the competitive ratio. The best previous result for general metric spaces was a 3-server randomized competitive algorithm [BKT] and a non-constructive proof that a deterministic 3-server competitive algorithm exists [BBKTW]. The competitive ratio we can prove is exponential in the number of servers. Thus, the question of the minimal competitive ratio for arbitrary metric spaces is still open.

Springer eBooks, 2004

Rackoff and Simon proved that a variant of Chaum's protocol for anonymous communication, later de... more Rackoff and Simon proved that a variant of Chaum's protocol for anonymous communication, later developed as the Onion Routing Protocol, is unlinkable against a passive adversary that controls all communication links and most of the nodes in a communication system. A major drawback of their analysis is that the protocol is secure only if (almost) all nodes participate at all times. That is, even if only n N nodes wish to send messages, all N nodes have to participate in the protocol at all times. This suggests necessity of sending dummy messages and a high message overhead. Our first contribution is showing that this is unnecessary. We relax the adversary model and assume that the adversary only controls a certain fraction of the communication links in the communication network. We think this is a realistic adversary model.

A layered graph is a connected graph whose vertices are partitioned into sets L 0 =s, L 1 , L 2 ,... more A layered graph is a connected graph whose vertices are partitioned into sets L 0 =s, L 1 , L 2 ,..., and whose edges, which have nonnegative integral weights, run between consecutive layers. Its width is {|L i |}. In the on-line layered graph traversal problem, a searcher starts at s in a layered graph of unknown width and tries to reach a target vertex t; however, the vertices in layer i and the edges between layers i-1 and i are only revealed when the searcher reaches layer i-1. We give upper and lower bounds on the competitive ratio of layered graph traversal algorithms. We give a deterministic on-line algorithm which is O(9 w)-competitive on width-w graphs and prove that for no w can a deterministic on-line algorithm have a competitive ratio better than 2 w-2 on width-w graphs. We prove that for all w, w/2 is a lower bound on the competitive ratio of any randomized on-line layered graph traversal algorithm. For traversing layered graphs consisting of w disjoint paths tied together at a common source, we give a randomized on-line algorithm with a competitive ratio of O(log w) and prove that this is optimal up to a constant factor.

This paper introduces HLDB, the first practical system that can answer exact spatial queries on c... more This paper introduces HLDB, the first practical system that can answer exact spatial queries on continental road networks entirely within a database. HLDB is based on hub labels (HL), the fastest point-to-point algorithm for road networks, and its queries are implemented (quite naturally) in standard SQL. Within the database, HLDB answers exact distance queries and retrieves full shortest-path descriptions in real time, even on networks with tens of millions of vertices. The basic algorithm can be extended in a natural way (still in SQL) to answer much more sophisticated queries, such as finding the ten closest fast-food restaurants. We also introduce efficient new HL-based algorithms for even harder problems, such as best via point, ride sharing, and point of interest prediction. The HLDB framework makes it easy to implement these algorithms in SQL, enabling interactive applications on continental road networks.

We deal with the competitive analysis of algorithms for managing data in a distributed environmen... more We deal with the competitive analysis of algorithms for managing data in a distributed environment. We deal with the file allocation problem ([DF], [ML]), where copies of a file may be be stored in the local storage of some subset of processors. Copies may be replicated and discarded over time so as to optimize communication costs, but multiple copies must be kept consistent and at least one copy must be stored somewhere in the network at all times. We deal with competitive algorithms for minimizing communication costs, over arbitrary sequences of reads and writes, and arbitrary network topologies. We define the constrained file allocation problem to be the solution of many individual file allocation problems simultaneously, subject to the constraints of local memory size. We give competitive algorithms for this problem on the uniform network topology. We then introduce distributed competitive algorithms for on-line data tracking (a generalization of mobile user tracking [AP1, AP3]) to transform our competitive data management algorithms into distributed algorithms themselves.

Lecture Notes in Computer Science, 1999

Traitor tracing schemes were introduced so as to combat the typical piracy scenario whereby pirat... more Traitor tracing schemes were introduced so as to combat the typical piracy scenario whereby pirate decoders (or access control smartcards) are manufactured and sold by pirates to illegal subscribers. Those traitor tracing schemes, however, are ineffective for the currently less common scenario where a pirate publishes the periodical access control keys on the Internet or, alternatively, simply rebroadcasts the content via an independent pirate network. This new piracy scenario may become especially attractive (to pirates) in the context of broadband multicast over the Internet. In this paper we consider the consequences of this type of piracy and offer countermeasures. We introduce the concept of dynamic traitor tracing which is a practical and efficient tool to combat this type of piracy. We also consider the static watermarking problem, presented by Boneh and Shaw, and derive bounds on the performance parameters of the "natural majority algorithm".

We study envy freeness up to any good (EFX) in settings where valuations can be represented via a... more We study envy freeness up to any good (EFX) in settings where valuations can be represented via a graph of arbitrary size where vertices correspond to agents and edges to items. An item (edge) has zero marginal value to all agents (vertices) not incident to the edge. Each vertex may have an arbitrary monotone valuation on the set of incident edges. We first consider allocations that correspond to orientations of the edges, where we show that EFX does not always exist, and furthermore that it is NP-complete to decide whether an EFX orientation exists. Our main result is that (EFX) allocations exist for this setting. This is one of the few cases where EFX allocations are known to exist for more than 3 agents. CCS Concepts: • Theory of computation → Algorithmic game theory.

God help us if we ever take the theater out of the auction business or anything else. It would be... more God help us if we ever take the theater out of the auction business or anything else. It would be an awfully boring world.

Lecture Notes in Computer Science, 1998

ABSTRACT

We present a model for web search that captures in a unified manner three critical components of ... more We present a model for web search that captures in a unified manner three critical components of the problem: how the link structure of the web is generated, how the content of a web document is generated, and how a human searcher generates a query. The key to this unification lies in capturing the correlations between these components in terms of proximity in a shared latent semantic space. Given such a combined model, the correct answer to a search query is well defined, and thus it becomes possible to evaluate web search algorithms rigorously. We present a new web search algorithm, based on spectral techniques, and prove that it is guaranteed to produce an approximately correct answer in our model. The algorithm assumes no knowledge of the model, and is well-defined regardless of the model's accuracy.

A recent seminal result of Räcke is that for any network there is an oblivious routing algorithm ... more A recent seminal result of Räcke is that for any network there is an oblivious routing algorithm with a polylog competitive ratio with respect to congestion. Unfortunately, Räcke's construction is not polynomial time. We give a polynomial time construction that guarantee's Räcke's bounds, and more generally gives the true optimal ratio for any network.

Theoretical Computer Science, Jun 1, 2004

Symposium on Discrete Algorithms, Jan 16, 2017

An f-Sensitive Distance Oracle with stretch preprocesses a graph G(V; E) and produces a small dat... more An f-Sensitive Distance Oracle with stretch preprocesses a graph G(V; E) and produces a small data structure that is used to answer subsequent queries. A query is a triple consisting of a set F E of at most f edges, and vertices s and t. The oracle answers a query (F; s; t) by returning a valued which is equal to the length of some path between s and t in the graph G n F (the graph obtained from G by discarding all edges in F). Moreover,d is at most times the length of the shortest path between s and t in G n F. The oracle can also construct a path between s and t in G n F of lengthd. To the best of our knowledge we give the rst nontrivial f-sensitive distance oracle with fast query time and small stretch capable of handling multiple edge failures. Specically, for any f = o(log n log log n) and a xed > 0 our oracle answers queries (F; s; t) in time e O(1) with (1 +) stretch using a data structure of size n 2+o(1). For comparison, the na ve alternative requires m f n 2 space for sublinear query time. 1 Introduction. Dealing with failures is an essential part of modern computing. Built in processes that deal with failures are an essential part of many computing environments, from massive storage devices, large scale parallel computation, and communication networks. In this paper we study how to answer queries

SIAM Journal on Computing, 2007

We consider an online version of the conflict-free coloring of a set of points on the line, where... more We consider an online version of the conflict-free coloring of a set of points on the line, where each newly inserted point must be assigned a color upon insertion, and at all times the coloring has to be conflict-free, in the sense that in every interval I there is a color that appears exactly once in I. We present several deterministic and randomized algorithms for achieving this goal, and analyze their performance, that is, the maximum number of colors that they need to use, as a function of the number n of inserted points. We first show that a natural and simple (deterministic) approach may perform rather poorly, requiring Ω(√ n) colors in the worst case. We then derive several efficient algorithms. The first algorithm is randomized and simple to analyze; it requires an expected number of at most O(log 2 n) colors, and produces a coloring which is valid with high probability. The second algorithm is deterministic, and is a variant of the initial simple algorithm; it uses a maximum of Θ(log 2 n) colors. The third algorithm is a randomized variant of the second algorithm; it requires an expected number of at most O(log n log log n) colors and always produces a valid coloring. We also analyze the performance of the simplest proposed algorithm when the points are inserted in a random order, and present an incomplete analysis that indicates that, with high probability, it uses only O(log n) colors. Finally, we show that in the extension of this problem to two dimensions, where the relevant ranges are disks, n colors may be required in the worst case.

Lecture Notes in Computer Science, 1994

We give cryptographic schemes that help tracc the SOIIFCC of leaks when sensitive o r proprietary... more We give cryptographic schemes that help tracc the SOIIFCC of leaks when sensitive o r proprietary data is made ava.ila.ble to a la.rge set, of parties. This is particularly import a n t for broadcast aid database access systerris, where the data. should br iicwssible only to authorized users. Such schemes are very rel(%vaiLt, in t,he conkxt of pay tdcvisiori, aiid easily combine w i t h a.nd complement. the Rroii.dca.st, Encryption schelnrs of [ti]. 1 Introduction If only one person is told about some secret,, and this iiext appears on t,hP evening news, t,hcn the guilty party is evident,. A more complex situation arises if t8he set, of people that have access t80 t,he secwt is large. The problem of determining guilt or innocence i s (rna.t,hematically) insurmountable if all people get, the exact same dat2a and one of them behaves treacherously and reveals the secret. Any d a t a that, is t.o be available t,o sonic while it should riot be ava,iIable t,o ot8hers caii obviously b e prottct,cd by encrypt,ion. The d a h t supplipr may give a uthorized parties cryptogra.phic kcys allowirig them t,o decrypt the data. This does not solve the problem above hccause it, does not, prrvent, one of those aut,liorized to view the messagc (say, Alice) from t#raiisferririg t,lie cleartext message to soiiic unauthorized party (my, Bob). Ome this is donc t8hen h r e is no (cryptogra,phic) inea,ns to t,race tlip sourcc of tlie leak. We call all such unaut.liorized access t80 data piracy. Tlic: lraibor. or traitors is Ihe (set. of) authorized user(s) M~~O allow other, non-authorized part,ies. t,a obtain t,he tlat,a.. These noii-aut,liorizecl pa.rtries arc called pirate users. ive piracy if the relevalit cleartext messages must, be transmitt,ed by t. 1~ "trait>or" lo tjhe "enemy". 'Typical cases where this is so include 111 many int,ereslirig cases it is sorriewlial me-Pay-per-view or subscription t,elevision broadcast,s. It is simply Loo experisive and risky to sta,rt a pirate broadcast sta.tioti. C>D ROhT dist,rihutioii of dat,a where a surcharge is charged for different, parts of the data. The clearkxt da.t,a can only be distributed on a similar storage device.-Online databases, freely accessible (sa,y on t,he int,ernet,) where a charge may he levied for ac:cess to all or certaiii rec,ords.

International Cryptology Conference, Aug 22, 1993

We introduce new theoretical measures for the qualitative and quantitative assessment of encrypti... more We introduce new theoretical measures for the qualitative and quantitative assessment of encryption schemes designed for broadcast transmissions. The goal is to allow a central broadcast site to broadcast secure transmissions to an arbitrary set of recipients while minimizing key management related transmissions. We present several schemes that allow a center to broadcast a secret to any subset of privileged users out of a universe of size n so that coalitions of k users not in the privileged set cannot learn the secret. The most interesting scheme requires every user to store O(k log k log n) keys and the center to broadcast O(k2 log' k log n) messages regardless of the size of the privileged set. This scheme is resilient to any coalition of k users. We also present a scheme that is resilient with probability p against a random subset of k users. This scheme requires every user to store O(1og k log(l/p)) keys and the center to broadcast O(k log2 k log(l/p)) messages.

Lecture Notes in Computer Science, 1998

In this paper we give deterministic competitive k-server algorithms for all k and all metric spac... more In this paper we give deterministic competitive k-server algorithms for all k and all metric spaces. This settles the k-server conjecture [MMS] up to the competitive ratio. The best previous result for general metric spaces was a 3-server randomized competitive algorithm [BKT] and a non-constructive proof that a deterministic 3-server competitive algorithm exists [BBKTW]. The competitive ratio we can prove is exponential in the number of servers. Thus, the question of the minimal competitive ratio for arbitrary metric spaces is still open.

Springer eBooks, 2004

Rackoff and Simon proved that a variant of Chaum's protocol for anonymous communication, later de... more Rackoff and Simon proved that a variant of Chaum's protocol for anonymous communication, later developed as the Onion Routing Protocol, is unlinkable against a passive adversary that controls all communication links and most of the nodes in a communication system. A major drawback of their analysis is that the protocol is secure only if (almost) all nodes participate at all times. That is, even if only n N nodes wish to send messages, all N nodes have to participate in the protocol at all times. This suggests necessity of sending dummy messages and a high message overhead. Our first contribution is showing that this is unnecessary. We relax the adversary model and assume that the adversary only controls a certain fraction of the communication links in the communication network. We think this is a realistic adversary model.

A layered graph is a connected graph whose vertices are partitioned into sets L 0 =s, L 1 , L 2 ,... more A layered graph is a connected graph whose vertices are partitioned into sets L 0 =s, L 1 , L 2 ,..., and whose edges, which have nonnegative integral weights, run between consecutive layers. Its width is {|L i |}. In the on-line layered graph traversal problem, a searcher starts at s in a layered graph of unknown width and tries to reach a target vertex t; however, the vertices in layer i and the edges between layers i-1 and i are only revealed when the searcher reaches layer i-1. We give upper and lower bounds on the competitive ratio of layered graph traversal algorithms. We give a deterministic on-line algorithm which is O(9 w)-competitive on width-w graphs and prove that for no w can a deterministic on-line algorithm have a competitive ratio better than 2 w-2 on width-w graphs. We prove that for all w, w/2 is a lower bound on the competitive ratio of any randomized on-line layered graph traversal algorithm. For traversing layered graphs consisting of w disjoint paths tied together at a common source, we give a randomized on-line algorithm with a competitive ratio of O(log w) and prove that this is optimal up to a constant factor.

This paper introduces HLDB, the first practical system that can answer exact spatial queries on c... more This paper introduces HLDB, the first practical system that can answer exact spatial queries on continental road networks entirely within a database. HLDB is based on hub labels (HL), the fastest point-to-point algorithm for road networks, and its queries are implemented (quite naturally) in standard SQL. Within the database, HLDB answers exact distance queries and retrieves full shortest-path descriptions in real time, even on networks with tens of millions of vertices. The basic algorithm can be extended in a natural way (still in SQL) to answer much more sophisticated queries, such as finding the ten closest fast-food restaurants. We also introduce efficient new HL-based algorithms for even harder problems, such as best via point, ride sharing, and point of interest prediction. The HLDB framework makes it easy to implement these algorithms in SQL, enabling interactive applications on continental road networks.

We deal with the competitive analysis of algorithms for managing data in a distributed environmen... more We deal with the competitive analysis of algorithms for managing data in a distributed environment. We deal with the file allocation problem ([DF], [ML]), where copies of a file may be be stored in the local storage of some subset of processors. Copies may be replicated and discarded over time so as to optimize communication costs, but multiple copies must be kept consistent and at least one copy must be stored somewhere in the network at all times. We deal with competitive algorithms for minimizing communication costs, over arbitrary sequences of reads and writes, and arbitrary network topologies. We define the constrained file allocation problem to be the solution of many individual file allocation problems simultaneously, subject to the constraints of local memory size. We give competitive algorithms for this problem on the uniform network topology. We then introduce distributed competitive algorithms for on-line data tracking (a generalization of mobile user tracking [AP1, AP3]) to transform our competitive data management algorithms into distributed algorithms themselves.

Lecture Notes in Computer Science, 1999

Traitor tracing schemes were introduced so as to combat the typical piracy scenario whereby pirat... more Traitor tracing schemes were introduced so as to combat the typical piracy scenario whereby pirate decoders (or access control smartcards) are manufactured and sold by pirates to illegal subscribers. Those traitor tracing schemes, however, are ineffective for the currently less common scenario where a pirate publishes the periodical access control keys on the Internet or, alternatively, simply rebroadcasts the content via an independent pirate network. This new piracy scenario may become especially attractive (to pirates) in the context of broadband multicast over the Internet. In this paper we consider the consequences of this type of piracy and offer countermeasures. We introduce the concept of dynamic traitor tracing which is a practical and efficient tool to combat this type of piracy. We also consider the static watermarking problem, presented by Boneh and Shaw, and derive bounds on the performance parameters of the "natural majority algorithm".

We study envy freeness up to any good (EFX) in settings where valuations can be represented via a... more We study envy freeness up to any good (EFX) in settings where valuations can be represented via a graph of arbitrary size where vertices correspond to agents and edges to items. An item (edge) has zero marginal value to all agents (vertices) not incident to the edge. Each vertex may have an arbitrary monotone valuation on the set of incident edges. We first consider allocations that correspond to orientations of the edges, where we show that EFX does not always exist, and furthermore that it is NP-complete to decide whether an EFX orientation exists. Our main result is that (EFX) allocations exist for this setting. This is one of the few cases where EFX allocations are known to exist for more than 3 agents. CCS Concepts: • Theory of computation → Algorithmic game theory.

God help us if we ever take the theater out of the auction business or anything else. It would be... more God help us if we ever take the theater out of the auction business or anything else. It would be an awfully boring world.

Lecture Notes in Computer Science, 1998

ABSTRACT

We present a model for web search that captures in a unified manner three critical components of ... more We present a model for web search that captures in a unified manner three critical components of the problem: how the link structure of the web is generated, how the content of a web document is generated, and how a human searcher generates a query. The key to this unification lies in capturing the correlations between these components in terms of proximity in a shared latent semantic space. Given such a combined model, the correct answer to a search query is well defined, and thus it becomes possible to evaluate web search algorithms rigorously. We present a new web search algorithm, based on spectral techniques, and prove that it is guaranteed to produce an approximately correct answer in our model. The algorithm assumes no knowledge of the model, and is well-defined regardless of the model's accuracy.

A recent seminal result of Räcke is that for any network there is an oblivious routing algorithm ... more A recent seminal result of Räcke is that for any network there is an oblivious routing algorithm with a polylog competitive ratio with respect to congestion. Unfortunately, Räcke's construction is not polynomial time. We give a polynomial time construction that guarantee's Räcke's bounds, and more generally gives the true optimal ratio for any network.

Theoretical Computer Science, Jun 1, 2004

Symposium on Discrete Algorithms, Jan 16, 2017

An f-Sensitive Distance Oracle with stretch preprocesses a graph G(V; E) and produces a small dat... more An f-Sensitive Distance Oracle with stretch preprocesses a graph G(V; E) and produces a small data structure that is used to answer subsequent queries. A query is a triple consisting of a set F E of at most f edges, and vertices s and t. The oracle answers a query (F; s; t) by returning a valued which is equal to the length of some path between s and t in the graph G n F (the graph obtained from G by discarding all edges in F). Moreover,d is at most times the length of the shortest path between s and t in G n F. The oracle can also construct a path between s and t in G n F of lengthd. To the best of our knowledge we give the rst nontrivial f-sensitive distance oracle with fast query time and small stretch capable of handling multiple edge failures. Specically, for any f = o(log n log log n) and a xed > 0 our oracle answers queries (F; s; t) in time e O(1) with (1 +) stretch using a data structure of size n 2+o(1). For comparison, the na ve alternative requires m f n 2 space for sublinear query time. 1 Introduction. Dealing with failures is an essential part of modern computing. Built in processes that deal with failures are an essential part of many computing environments, from massive storage devices, large scale parallel computation, and communication networks. In this paper we study how to answer queries

SIAM Journal on Computing, 2007

We consider an online version of the conflict-free coloring of a set of points on the line, where... more We consider an online version of the conflict-free coloring of a set of points on the line, where each newly inserted point must be assigned a color upon insertion, and at all times the coloring has to be conflict-free, in the sense that in every interval I there is a color that appears exactly once in I. We present several deterministic and randomized algorithms for achieving this goal, and analyze their performance, that is, the maximum number of colors that they need to use, as a function of the number n of inserted points. We first show that a natural and simple (deterministic) approach may perform rather poorly, requiring Ω(√ n) colors in the worst case. We then derive several efficient algorithms. The first algorithm is randomized and simple to analyze; it requires an expected number of at most O(log 2 n) colors, and produces a coloring which is valid with high probability. The second algorithm is deterministic, and is a variant of the initial simple algorithm; it uses a maximum of Θ(log 2 n) colors. The third algorithm is a randomized variant of the second algorithm; it requires an expected number of at most O(log n log log n) colors and always produces a valid coloring. We also analyze the performance of the simplest proposed algorithm when the points are inserted in a random order, and present an incomplete analysis that indicates that, with high probability, it uses only O(log n) colors. Finally, we show that in the extension of this problem to two dimensions, where the relevant ranges are disks, n colors may be required in the worst case.

Lecture Notes in Computer Science, 1994

We give cryptographic schemes that help tracc the SOIIFCC of leaks when sensitive o r proprietary... more We give cryptographic schemes that help tracc the SOIIFCC of leaks when sensitive o r proprietary data is made ava.ila.ble to a la.rge set, of parties. This is particularly import a n t for broadcast aid database access systerris, where the data. should br iicwssible only to authorized users. Such schemes are very rel(%vaiLt, in t,he conkxt of pay tdcvisiori, aiid easily combine w i t h a.nd complement. the Rroii.dca.st, Encryption schelnrs of [ti]. 1 Introduction If only one person is told about some secret,, and this iiext appears on t,hP evening news, t,hcn the guilty party is evident,. A more complex situation arises if t8he set, of people that have access t80 t,he secwt is large. The problem of determining guilt or innocence i s (rna.t,hematically) insurmountable if all people get, the exact same dat2a and one of them behaves treacherously and reveals the secret. Any d a t a that, is t.o be available t,o sonic while it should riot be ava,iIable t,o ot8hers caii obviously b e prottct,cd by encrypt,ion. The d a h t supplipr may give a uthorized parties cryptogra.phic kcys allowirig them t,o decrypt the data. This does not solve the problem above hccause it, does not, prrvent, one of those aut,liorized to view the messagc (say, Alice) from t#raiisferririg t,lie cleartext message to soiiic unauthorized party (my, Bob). Ome this is donc t8hen h r e is no (cryptogra,phic) inea,ns to t,race tlip sourcc of tlie leak. We call all such unaut.liorized access t80 data piracy. Tlic: lraibor. or traitors is Ihe (set. of) authorized user(s) M~~O allow other, non-authorized part,ies. t,a obtain t,he tlat,a.. These noii-aut,liorizecl pa.rtries arc called pirate users. ive piracy if the relevalit cleartext messages must, be transmitt,ed by t. 1~ "trait>or" lo tjhe "enemy". 'Typical cases where this is so include 111 many int,ereslirig cases it is sorriewlial me-Pay-per-view or subscription t,elevision broadcast,s. It is simply Loo experisive and risky to sta,rt a pirate broadcast sta.tioti. C>D ROhT dist,rihutioii of dat,a where a surcharge is charged for different, parts of the data. The clearkxt da.t,a can only be distributed on a similar storage device.-Online databases, freely accessible (sa,y on t,he int,ernet,) where a charge may he levied for ac:cess to all or certaiii rec,ords.

International Cryptology Conference, Aug 22, 1993

We introduce new theoretical measures for the qualitative and quantitative assessment of encrypti... more We introduce new theoretical measures for the qualitative and quantitative assessment of encryption schemes designed for broadcast transmissions. The goal is to allow a central broadcast site to broadcast secure transmissions to an arbitrary set of recipients while minimizing key management related transmissions. We present several schemes that allow a center to broadcast a secret to any subset of privileged users out of a universe of size n so that coalitions of k users not in the privileged set cannot learn the secret. The most interesting scheme requires every user to store O(k log k log n) keys and the center to broadcast O(k2 log' k log n) messages regardless of the size of the privileged set. This scheme is resilient to any coalition of k users. We also present a scheme that is resilient with probability p against a random subset of k users. This scheme requires every user to store O(1og k log(l/p)) keys and the center to broadcast O(k log2 k log(l/p)) messages.