420 likes | 634 Views
Secret Sharing Schemes Based on Minimum Bandwidth Regenerating Codes. Masazumi KURIHARA (Univ. of Electro-Communications) Hidenori KUWAKADO (Kobe Univ.) ISITA2012, Honolulu, Hawaii, U.S.A., Oct. 28 - 31, 2012. Outline. Introduction
E N D
Secret Sharing Schemes Based on Minimum Bandwidth Regenerating Codes Masazumi KURIHARA (Univ. of Electro-Communications) Hidenori KUWAKADO (Kobe Univ.) ISITA2012, Honolulu, Hawaii, U.S.A., Oct. 28 - 31, 2012
Outline • Introduction Distributed storage system, Regenerating Code, and Secrecy • Minimum Bandwidth Regenerating(MBR) Codes The MBR code proposed by Rashmi, Shah and Kumar • Secure Regenerating(SR) Codes The secure regenerating(SR) code based on the MBR code • Evaluation • Conclusions
Distributed Storage System Storage node (Storage capacity symbols over .) Share (Share size 𝛼 symbols ) Data collector(end-user) 1 k shares k Message (B symbols) 2 Reconstruction Message f n i Encodingand distributing n
Typical repair method using a reconstruction ( Repair-bandwidth ) Share (Share size 𝛼 symbols ) The failed node Repair-bandwidth 1 k shares k Message (B symbols) 2 Reconstruction Message n i Encodingand distributing Re-encoding Share (size 𝛼 ) n
Regenerating Codes • For the repair problem, Dimakis et al. proposed a new concept of code called “regenerating code”. Dimakis, Godfrey, Wu, Wainwright and Ramchandran[Dimakis, et al., 2010] • The code is defined by six parameters . • The code have the following two properties: • Reconstruction Property: • An end-user(called data-collector) is permitted to connect to anyactive nodes to reconstruct a message. • Regeneration Property: • A failed node is permitted to connect to anyactive nodes (called helper-nodes)to repair itself. • They showed that the regenerating code can reduce the repair-bandwidth.
Method using a regenerating code for repair ( Repair-bandwidth = piece-vector size = ) Share (Share size 𝛼 symbols ) The failed node 1 d pieces Helper-node Piece Message (B symbols) 2 piece-vector( ) ( piece-vector size ) ( repair-bandwidth) Regenerating Piece Helper-node n i Piece (Piece size symbols) Helper-node Share n
Regenerating Codes • Furthermore, they showed the trade-off between astorage-capacity and a repair-bandwidth. • In the trade-off, there are two special types of regenerating codes as follows: (for fixed and ) • An Minimum Bandwidth Regenerating(MBR) code • First minimizing , and then minimizing . • An MBR code satisfies • An Minimum Storage Regenerating(MSR) code • The minimization in the reverse order. • An MSR code satisfies
Secrecy on Distributed storage System • A regenerating code may be similar to a secret sharing scheme. • The secret sharing scheme(SSS) produces shares in such a way that a share does not give any information about a secret. • However, in general, the SSS does not have the regeneration property. • On the other hand, in the concept of a regenerating code, the regenerating code does not have the secrecy property.
Prior work(related work) for secure MBR codes • Pawar, Rouayheb and Ramchandran[Pawar, et al., 2011] • The first secure regenerating code based on an MBR code. • However, the secure regenerating code is confined to the case of . • Shah, Rashmiand Kumar[Shah, et al., 2011] • An secure Product-Matrix Minimum Bandwidth Regenerating(PM-MBR) code for . • The code is also based on an MBR code. • The parameters and are chosen independently. • Our proposal secure regenerating(SR) code for in this study. • Shah et al.’s code and our code are based on the same MBR code. • Our code is different from their code.
Secrecy on Regenerating Code • Let denote a random variable with a uniform distribution over representing a secret where. • Let denote random variables representing shares from the secret . • Let denote random variables representing piece-vectors. • For a regenerating code, we have to consider the following two secrecy conditions: • Secrecy for shares: For any shares , , where . • Secrecy for piece-vectors: For any piece-vectors , , where .
MBR codes[Rashmi, et al., 2011](Section 2) • Rashmi, Shah and Kumar proposed an MBR code for all values of where [Rashmi, et al., 2011] • The parameters of the MBR code satisfy as follows: • Hence, the MBR code is defined by the three parameters from the above relations.
A message matrix of the MBR code • The MBR code with message symbols is obtained from a message matrix which is a symmetric matrix. • The message symbols are substituted for components of the message matrix as follows: B message symbols
Encoding, Shares and Reconstruction • For each node , a share is defined as where is a coding vector associated with node . • Hence, shares are obtained as follows: • The message matrix can be reconstructed from any shares by using the reconstruction method by Rashmi et al.
(𝑛,𝑘,𝑑,𝑚) Secure Regenerating(SR) codes(Section 3) • An Secure Regenerating(SR) code is based on an MBR code and have the following properties: • The three parameters are derived from the underlying MBR code. • The new parameter is a secrecy parameter. • The parameter means the perfect secrecy condition as follows: for any ,
Construction of anSecure Regenerating(SR) Code • To construct an secure regenerating(SR) code, instead of message symbols, we substitute secret symbols and random symbols for components of the message matrix . • The numbers and are defined by the secrecy parameter as follows: and • The idea of the construction is simple. • However, we have carefully to choose the components of the message matrix as follows:
A message matrix for an underlying MBR code • When B message symbols
A message Matrixfor an secure regenerating(SR) code • When 7. secret symbols broken lines broken lines random symbols
The shares for the secret are derived from the encoding method of the underlying MBR code as follows: • We can execute a reconstruction and a regeneration for the secure regenerating(SR) code in the same way as the underlying MBR code.
Evaluation (shares) (Section 4) • Theorem: For any shares of the secure regenerating(SR) code, where , and the function is defined by • is a quadratic polynomial in in the range . • In particular, • : Perfect secrecy • : Reconstruction • The reason using the function is that we are interested not only in a perfect secrecy, but also in a ramp type’s secrecy.
versus When quadratic polynomial function Perfect secrecy Non-linear ramp Uncertainty Reconstruction Number of shares
Evaluation(piece-vectors) • Similarly, we have the following theorem for piece-vectors. • Theorem: For any piece-vectors of secure regenerating(SR) code, • In particular, • : Perfect secrecy • : Reconstruction
Conclusions(Section 5) • The construction of an secure regenerating(SR) code based on an MBR code. • The secrecy ability of the secure regenerating(SR) code. • for any shares. • for any piece-vectors. • The secure regenerating(SR) code is a (non-linear) ramp scheme. • The secure regenerating(SR) code achieves the upper bound of the secrecy capacity
Distributed Storage System • There are storage nodes in a network. • The storage capacity of each node is symbols over a finite field . • Encoding and Distribution: • A messageconsisting of message symbolsis encoded to sharesin such a way that the message can be reconstructed from any shares, and the shares are stored across storage nodes. • The share-sizeequals to the storage capacity. • In the system, the message can be reconstructed from active nodes even if several nodes fail.
Repairing a failed node • On the other hand, we have to repair the failed node to maintain the system, that is, the failed node have to regenerate the share of itself. • In a typical repair method, the failed node can regenerate the share by using a reconstruction. • However, the reconstruction spends the network traffic because the message-size is greater than the share-size . • The amount of downloaded data for repair is called the repair-bandwidth. • In the case of a reconstruction, the repair-bandwidth is , which is the message-size.
Regenerating Codes • They showed that the regenerating code can reduce the repair-bandwidth. • The data-size of downloaded data(called piece) from each helper-node is symbols. Consequently, the repair band-width is . • The vector consisting of pieces is called a piece-vector.
Secrecy on Regenerating Code • Let denote a random variable with a uniform distribution over representing a secret where. • Let denote random variables representing shares from the secret . • The reconstruction can be represented as follows: for any shares , . • Let denote random variables representing piece-vectors. • The regeneration can be represented as follows: for a failed node ,. • From the regeneration property, we have .
Regeneration for the MBR code • Two pages.
Regeneration for theMBR code • Suppose that a node fails and helper-nodes are active. • Each helper node computes a piece for the failed node as follows: where , and send it to the failed node. • As a result, the failed node obtains the piece-vector as follows: • Note that the repair-bandwidth equals to the size of piece-vector.
Regeneration for theMBR code • The failed node can regeneratethe share from the piece-vector as follows: where the matrix is nonsingular (i.e.,.) • Form the above relation between and , the piece-vector is also determined from the share (i.e., ). • Hence, for the MBR code, “” is equivalent to “”.
The difference between Shah et al.’ code and our code (four pages) • When their code and our code have the same secrecy ability. -PM-secure-MBR code secure regenerating code • Their code and our code differ in the position of random symbols and that of secret symbols in a message matrix as follows:
Message Matrix for the underlying MBR code • When B message symbols
Our code( the secure regenerating code ) • When 7. secret symbols broken lines broken lines random symbols
Shah et al.’s secure MBR code[Shah, et al., 2012]( the -PM-secure-MBR code ) • When 7. random symbols lines lines secret symbols
Proof(two pages) • The idea of construction of the secure regenerating code is simple. • However, many pages are expended to proof the secrecy of the secure regenerating code.
Matrix expression • It is a key point of the proof that the submatrix is nonsingular. • [ • The components of shares are linearly independent. Rearranging Vector expression random symbols secret symbols
Secrecy capacity and its upper bound • Four pages
Secrecy capacity and its upper bound • The secrecy capacity is defined to be the maximum amount of data that can be stored in the distributed storage system such that the reconstruction property and two the conditions are simultaneously satisfied for all possible data-collectors and eavesdroppers, that is, • Furthermore, we have the following upper bound of : • Both the secrecy capacity and the upper bound are the refined versions of that proposed by Pawar et al.[Pawar, et al.,2011].
For an MBR code, we can assume that without loss of generality • In particular, for an MBR code, when a regenerating function is bijective, the following two propositions are true because and . • implies . • implies • Hence, we can assume that without loss of generality for an MBR code. • Consequently, is equivalent to .
Secrecy capacity and its upper bound for an secure regenerating code • For an secure regenerating (secure MBR) code, that is, , we have the following simplified expressions: • The secrecy capacity : • The upper bound of the secrecy capacity: • Both the secrecy capacity and the upper bound are identical to that of Pawar et al.[Pawar, et al.,2011].
Evaluation(upper bound) • Finally, for the parameters of an secure regenerating code, the upper bound of the secrecy capacity is simplifies to • Hence, the secure regenerating code achieves the upper bound of the secrecy capacity because of .