Embed Size (px)
DESCRIPTION
Secret Sharing Schemes Based on Minimum Bandwidth Regenerating Codes. Masazumi KURIHARA (Univ. of Electro-Communications) Hidenori KUWAKADO (Kobe Univ.) ISITA2012, Honolulu, Hawaii, U.S.A., Oct. 28 - 31, 2012. Outline. Introduction - PowerPoint PPT Presentation
Citation preview
Secret Sharing Schemes Based on Minimum Bandwidth Regenerating Codes
Masazumi KURIHARA (Univ. of Electro-Communications)Hidenori KUWAKADO (Kobe Univ.)
ISITA2012, Honolulu, Hawaii, U.S.A., Oct. 28 - 31, 2012
1
Outline1. Introduction
Distributed storage system, Regenerating Code, and Secrecy
2. Minimum Bandwidth Regenerating(MBR) CodesThe MBR code proposed by Rashmi, Shah and Kumar
3. Secure Regenerating(SR) CodesThe secure regenerating(SR) code based on the MBR code
4. Evaluation5. Conclusions
2
Share (Share size symbols )𝛼1
2
i
n
⋮
⋮
Message(B symbols)
Storage node (Storage capacity symbols over .)
⋯Data collector(end-user)
Encoding and distributing
Message
k shares
n
k
⋮ Reconstruction
f
⋮
3
Distributed Storage System
Share (Share size symbols )𝛼1
2
i
n
⋮
⋮
Message(B symbols)
⋯
Encoding and distributing
Message
k shares
n
k
⋮ Reconstruction
Re-encoding
Share
𝑓
𝑓
⋮
4
Typical repair method using a reconstruction
The failed node
( Repair-bandwidth )
( size )𝛼
Repair-bandwidth
Regenerating Codes• For the repair problem, Dimakis et al. proposed a new concept of code called
“regenerating code”. Dimakis, Godfrey, Wu, Wainwright and Ramchandran[Dimakis, et al., 2010]
• The code is defined by six parameters . • The code have the following two properties:
– Reconstruction Property:• An end-user(called data-collector) is permitted to connect to any
active nodes to reconstruct a message.– Regeneration Property:
• A failed node is permitted to connect to any active nodes (called helper-nodes) to repair itself.
• They showed that the regenerating code can reduce the repair-bandwidth.
5
Share (Share size symbols )𝛼1
2
i
n
⋮
⋮
Message(B symbols)
⋯The failed node
d pieces
n
𝑑(≥𝑘)
⋮Regenerating
Share
𝑓
𝑓
⋮
6
piece-vector ( )( piece-vector size )
( repair-bandwidth)
Piece(Piece size symbols)
Method using a regenerating code for repair( Repair-bandwidth = piece-vector size = )
Helper-node
Helper-node
Helper-node
⋮
⋯
Piece
Piece
⋯ ⋯
Regenerating Codes• Furthermore, they showed the trade-off between a storage-
capacity and a repair-bandwidth.
• In the trade-off, there are two special types of regenerating codes as follows: (for fixed and ) – An Minimum Bandwidth Regenerating(MBR) code
• First minimizing , and then minimizing .• An MBR code satisfies
– An Minimum Storage Regenerating(MSR) code • The minimization in the reverse order. • An MSR code satisfies
7
Secrecy on Distributed storage System
• A regenerating code may be similar to a secret sharing scheme.
• The secret sharing scheme(SSS) produces shares in such a way that a share does not give any information about a secret.
• However, in general, the SSS does not have the regeneration property.
• On the other hand, in the concept of a regenerating code, the regenerating code does not have the secrecy property.
8
Prior work(related work) for secure MBR codes
• Pawar, Rouayheb and Ramchandran[Pawar, et al., 2011]– The first secure regenerating code based on an MBR code.– However, the secure regenerating code is confined to the case of .
• Shah, Rashmi and Kumar[Shah, et al., 2011]– An secure Product-Matrix Minimum Bandwidth Regenerating(PM-MBR)
code for . – The code is also based on an MBR code. – The parameters and are chosen independently.
• Our proposal secure regenerating(SR) code for in this study. – Shah et al.’s code and our code are based on the same MBR code.– Our code is different from their code.
9
Secrecy on Regenerating Code• Let denote a random variable with a uniform distribution over representing a
secret where .• Let denote random variables representing shares from the secret .• Let denote random variables representing piece-vectors.
• For a regenerating code, we have to consider the following two secrecy conditions: 1. Secrecy for shares:
For any shares , , where .
2. Secrecy for piece-vectors: For any piece-vectors , , where .
10
MBR codes[Rashmi, et al., 2011](Section 2)
• Rashmi, Shah and Kumar proposed an MBR code for all values of where [Rashmi, et al., 2011]
• The parameters of the MBR code satisfy as follows:
• Hence, the MBR code is defined by the three parameters from the above relations.
11
• The MBR code with message symbols is obtained from a message matrix which is a symmetric matrix.
• The message symbols are substituted for components of the message matrix as follows:
A message matrix of the MBR code
k
d
kd
kd
k
B message symbols
d
12
00
00
,1,
,11,1
,,,1,
,11,1,11,1
kdd
kkk
dkkkkkk
dkk
uu
uuuuuu
uuuu
M
Encoding, Shares and Reconstruction• For each node , a share is defined as
where is a coding vector associated with node .
• Hence, shares are obtained as follows:
• The message matrix can be reconstructed from any shares by using the reconstruction method by Rashmi et al.
13
(𝑑×𝑛) (𝑑×𝑑)(𝑑×𝑛)
• An Secure Regenerating(SR) code is based on an MBR code and have the following properties:
1. The three parameters are derived from the underlying MBR code.
2. The new parameter is a secrecy parameter. 3. The parameter means the perfect secrecy condition as
follows: for any ,
14
( , , , ) Secure Regenerating(SR) codes𝑛 𝑘 𝑑 𝑚(Section 3)
Construction of an Secure Regenerating(SR) Code
• To construct an secure regenerating(SR) code, instead of message symbols, we substitute secret symbols and random symbols for components of the message matrix .– The numbers and are defined by the secrecy parameter as
follows: and
• The idea of the construction is simple.• However, we have carefully to choose the components of the
message matrix as follows:
15
• When
4k
6d
16
A message matrix for an underlying MBR code
B message symbols
4k
0000
4,63,62,61,6
4,53,52,51,5
6,45,44,43,42,41,4
6,35,34,33,22,31,3
6,25,24,23,22,21,2
6,15,14,13,12,11,1
uuuuuuuu
uuuuuuuuuuuuuuuuuuuuuuuu
M
A message Matrixfor an secure regenerating(SR) code
4k
6d
2m broken lines
2 mk broken lines
random symbols
secret symbolsSL
RL
0000
4,63,62,61,6
4,53,52,51,5
6,45,44,43,42,41,4
6,35,34,33,22,31,3
6,25,24,23,22,21,2
6,15,14,13,12,11,1
uuuuuuuu
uuuuuuuuuuuuuuuuuuuuuuuu
M
17
st1nd2
st1nd2
• When 7.
• The shares for the secret are derived from the encoding method of the underlying MBR code as follows:
• We can execute a reconstruction and a regeneration for the secure regenerating(SR) code in the same way as the underlying MBR code.
18
Evaluation (shares) (Section 4)
• Theorem: For any shares of the secure regenerating(SR) code,
where , and the function is defined by
• is a quadratic polynomial in in the range .
• In particular, – : Perfect secrecy– : Reconstruction
• The reason using the function is that we are interested not only in a perfect secrecy, but also in a ramp type’s secrecy.
19
Number of shares
Unce
rtain
ty 𝐻
(𝑆|𝐶
𝑖 1,…,𝐶
𝑖 𝑡)
𝑔 (𝑡 )When
20
versus
Non-linear ramp
Perfect secrecy
Reconstruction
𝑔 (𝑥)¿𝐿𝑆=𝐻 (𝑆) 𝑔 (𝑡 )=0𝑔 (𝑡 )=12 (𝑡−𝑘)¿
quadratic polynomial function
𝐿𝑆
37 𝐿𝑆
𝑂 1 2 3 4 5𝑡
𝑚 𝑘
Evaluation(piece-vectors)
• Similarly, we have the following theorem for piece-vectors.
• Theorem: For any piece-vectors of secure regenerating(SR) code,
• In particular, – : Perfect secrecy– : Reconstruction
21
Conclusions(Section 5)1. The construction of an secure regenerating(SR) code based
on an MBR code.
2. The secrecy ability of the secure regenerating(SR) code. 1. for any shares.2. for any piece-vectors.
3. The secure regenerating(SR) code is a (non-linear) ramp scheme.
4. The secure regenerating(SR) code achieves the upper bound of the secrecy capacity
22
Additional Slides
23
Distributed Storage System • There are storage nodes in a network.• The storage capacity of each node is symbols over a finite field .
• Encoding and Distribution: • A message consisting of message symbols is encoded to shares
in such a way that the message can be reconstructed from any shares, and the shares are stored across storage nodes.
• The share-size equals to the storage capacity.
• In the system, the message can be reconstructed from active nodes even if several nodes fail.
24
Repairing a failed node• On the other hand, we have to repair the failed node to
maintain the system, that is, the failed node have to regenerate the share of itself.
• In a typical repair method, the failed node can regenerate the share by using a reconstruction.
• However, the reconstruction spends the network traffic because the message-size is greater than the share-size .
• The amount of downloaded data for repair is called the repair-bandwidth.
• In the case of a reconstruction, the repair-bandwidth is , which is the message-size.
25
Regenerating Codes• They showed that the regenerating code can reduce the
repair-bandwidth.
• The data-size of downloaded data(called piece) from each helper-node is symbols. Consequently, the repair band-width is .
• The vector consisting of pieces is called a piece-vector.
26
Secrecy on Regenerating Code• Let denote a random variable with a uniform distribution over
representing a secret where .
• Let denote random variables representing shares from the secret .• The reconstruction can be represented as follows: for any shares , . • Let denote random variables representing piece-vectors.• The regeneration can be represented as follows: for a failed node , . • From the regeneration property, we have .
27
Regeneration for the MBR code
• Two pages.
28
Regeneration for the MBR code• Suppose that a node fails and helper-nodes are active.• Each helper node computes a piece for the failed node as
follows:
where , and send it to the failed node.
• As a result, the failed node obtains the piece-vector as follows:
• Note that the repair-bandwidth equals to the size of piece-vector.
29
Regeneration for the MBR code
• The failed node can regenerate the share from the piece-vector as follows:
where the matrix is nonsingular (i.e.,.)
• Form the above relation between and , the piece-vector is also determined from the share (i.e., ).
• Hence, for the MBR code, “” is equivalent to “”.
30
The difference between Shah et al.’ code and our code (four pages)
• When their code and our code have the same secrecy ability. -PM-secure-MBR code secure regenerating code
• Their code and our code differ in the position of random symbols and that of secret symbols in a message matrix as follows:
31
• When
4k
6d
32
Message Matrix for the underlying MBR code
B message symbols
4k
0000
4,63,62,61,6
4,53,52,51,5
6,45,44,43,42,41,4
6,35,34,33,22,31,3
6,25,24,23,22,21,2
6,15,14,13,12,11,1
uuuuuuuu
uuuuuuuuuuuuuuuuuuuuuuuu
M
Our code( the secure regenerating code )
4k
6d
2m broken lines
2 mk broken lines
random symbols
secret symbolsSL
RL
0000
4,63,62,61,6
4,53,52,51,5
6,45,44,43,42,41,4
6,35,34,33,22,31,3
6,25,24,23,22,21,2
6,15,14,13,12,11,1
uuuuuuuu
uuuuuuuuuuuuuuuuuuuuuuuu
M
33
st1nd2
st1nd2
• When 7.
Shah et al.’s secure MBR code[Shah, et al., 2012]( the -PM-secure-MBR code )
4k
6d
2m lines
2 mk
nd2st1
lines
random symbols
secret symbolsSL
RL
0000
'
4,63,62,61,6
4,53,52,51,5
6,45,44,43,42,41,4
6,35,34,33,22,31,3
6,25,24,23,22,21,2
6,15,14,13,12,11,1
uuuuuuuu
uuuuuuuuuuuuuuuuuuuuuuuu
M
34
nd2st1
• When 7.
Proof(two pages)
• The idea of construction of the secure regenerating code is simple.
• However, many pages are expended to proof the secrecy of the secure regenerating code.
35
• It is a key point of the proof that the submatrix is nonsingular.
• [
• The components of shares are linearly independent.
O
random symbols secret symbolsSL
RL
Rearranging
Matrix expression
Vector expression
36
Secrecy capacity and its upper bound
• Four pages
37
Secrecy capacity and its upper bound• The secrecy capacity is defined to be the maximum amount of data that can be
stored in the distributed storage system such that the reconstruction property and two the conditions are simultaneously satisfied for all possible data-collectors and eavesdroppers, that is,
• Furthermore, we have the following upper bound of :
• Both the secrecy capacity and the upper bound are the refined versions of that proposed by Pawar et al.[Pawar, et al.,2011].
38
For an MBR code, we can assume that without loss of generality
• In particular, for an MBR code, when a regenerating function is bijective, the following two propositions are true because and .
• implies . • implies
• Hence, we can assume that without loss of generality for an MBR code.
• Consequently, is equivalent to .
39
Secrecy capacity and its upper bound for an secure regenerating code
• For an secure regenerating (secure MBR) code, that is, , we have the following simplified expressions:
• The secrecy capacity :
• The upper bound of the secrecy capacity:
• Both the secrecy capacity and the upper bound are identical to that of Pawar et al.[Pawar, et al.,2011].
40
Evaluation(upper bound)• Finally, for the parameters of an secure regenerating code,
the upper bound of the secrecy capacity is simplifies to
• Hence, the secure regenerating code achieves the upper bound of the secrecy capacity because of .
𝐶𝑆 (𝑛 ,𝑘 ,𝑑 ,𝛼=𝑑 , 𝛽=1 ; 𝑙=𝑚 ,𝑚 )≤ ∑𝑗=𝑚+1
𝑘
(𝑑− 𝑗+1 )=𝐿𝑆
41
