Secret Sharing in Distributed Storage Systems Illinois Institute of Technology Nexus of Information and Computation Theories Paris, Feb 2016 Salim El Rouayheb.

Slides:



Advertisements
Similar presentations
Analysis and Construction of Functional Regenerating Codes with Uncoded Repair for Distributed Storage Systems Yuchong Hu, Patrick P. C. Lee, Kenneth.
Advertisements

current hadoop architecture
Alex Dimakis based on collaborations with Dimitris Papailiopoulos Arash Saber Tehrani USC Network Coding for Distributed Storage.
Henry C. H. Chen and Patrick P. C. Lee
1 NCFS: On the Practicality and Extensibility of a Network-Coding-Based Distributed File System Yuchong Hu 1, Chiu-Man Yu 2, Yan-Kit Li 2 Patrick P. C.
On error and erasure correction coding for networks and deadlines Tracey Ho Caltech NTU, November 2011.
Digital Fountain Codes V. S
May 24, 2005STOC 2005, Baltimore1 Limits to List Decoding Reed-Solomon Codes Venkatesan Guruswami Atri Rudra (University of Washington)
BASIC Regenerating Codes for Distributed Storage Systems Kenneth Shum (Joint work with Minghua Chen, Hanxu Hou and Hui Li)
Coding and Algorithms for Memories Lecture 12 1.
Simple Regenerating Codes: Network Coding for Cloud Storage Dimitris S. Papailiopoulos, Jianqiang Luo, Alexandros G. Dimakis, Cheng Huang, and Jin Li University.
Yuchong Hu1, Henry C. H. Chen1, Patrick P. C. Lee1, Yang Tang2
PAUL CUFF ELECTRICAL ENGINEERING PRINCETON UNIVERSITY Causal Secrecy: An Informed Eavesdropper.
Multicut Lower Bounds via Network Coding Anna Blasiak Cornell University.
Paul Cuff THE SOURCE CODING SIDE OF SECRECY TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA.
Beyond the MDS Bound in Distributed Cloud Storage
Information Theoretical Security and Secure Network Coding NCIS11 Ning Cai May 14, 2011 Xidian University.
Coding for Atomic Shared Memory Emulation Viveck R. Cadambe (MIT) Joint with Prof. Nancy Lynch (MIT), Prof. Muriel Médard (MIT) and Dr. Peter Musial (EMC)
1 Network Coding: Theory and Practice Apirath Limmanee Jacobs University.
June 4, 2015 On the Capacity of a Class of Cognitive Radios Sriram Sridharan in collaboration with Dr. Sriram Vishwanath Wireless Networking and Communications.
Dynamic Index Coding Broadcast Station N N Michael J. Neely, Arash Saber Tehrani, Zhen Zhang University of Southern California Paper available.
1 University of Freiburg Computer Networks and Telematics Prof. Christian Schindelhauer Mobile Ad Hoc Networks Network Coding and Xors in the Air 7th Week.
PAUL CUFF ELECTRICAL ENGINEERING PRINCETON UNIVERSITY A Framework for Partial Secrecy.
Resilient Network Coding in the presence of Byzantine Adversaries Michelle Effros Michael Langberg Tracey Ho Sachin Katti Muriel Médard Dina Katabi Sidharth.
Multiple Description Coding and Distributed Source Coding: Unexplored Connections in Information Theory and Coding Theory S. Sandeep Pradhan Department.
1 NETWORK CODING Anthony Ephremides University of Maryland - A NEW PARADIGM FOR NETWORKING - February 29, 2008 University of Minnesota.
1 Simple Network Codes for Instantaneous Recovery from Edge Failures in Unicast Connections Salim Yaacoub El Rouayheb, Alex Sprintson Costas Georghiades.
On the interdependence of routing and data compression in multi-hop sensor networks Anna Scaglione, Sergio D. Servetto.
Alex Dimakis based on collaborations with Dimitris Papailiopoulos Viveck Cadambe Kannan Ramchandran USC Tutorial on Distributed Storage Problems and Regenerating.
Network Coding and Reliable Communications Group Algebraic Network Coding Approach to Deterministic Wireless Relay Networks MinJi Kim, Muriel Médard.
10th Canadian Workshop on Information Theory June 7, 2007 Rank-Metric Codes for Priority Encoding Transmission with Network Coding Danilo Silva and Frank.
EE 685 presentation Optimization Flow Control, I: Basic Algorithm and Convergence By Steven Low and David Lapsley Asynchronous Distributed Algorithm Proof.
Cooperative regenerating codes for distributed storage systems Kenneth Shum (Joint work with Yuchong Hu) 22nd July 2011.
15-853Page :Algorithms in the Real World Error Correcting Codes I – Overview – Hamming Codes – Linear Codes.
Network Coding vs. Erasure Coding: Reliable Multicast in MANETs Atsushi Fujimura*, Soon Y. Oh, and Mario Gerla *NEC Corporation University of California,
Network Coding for Distributed Storage Systems IEEE TRANSACTIONS ON INFORMATION THEORY, SEPTEMBER 2010 Alexandros G. Dimakis Brighten Godfrey Yunnan Wu.
Network Alignment: Treating Networks as Wireless Interference Channel Chun Meng Univ. of California, Irvine.
Repairable Fountain Codes Megasthenis Asteris, Alexandros G. Dimakis IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 32, NO. 5, MAY /5/221.
22/07/ The MDS Scaling Problem for Cloud Storage Yu-chong Hu Institute of Network Coding.
Rate-distortion Theory for Secrecy Systems
Network Coding and Information Security Raymond W. Yeung The Chinese University of Hong Kong Joint work with Ning Cai, Xidian University.
Information Theory for Mobile Ad-Hoc Networks (ITMANET): The FLoWS Project Thrust 2 Layerless Dynamic Networks Lizhong Zheng, Todd Coleman.
1 Network Coding and its Applications in Communication Networks Alex Sprintson Computer Engineering Group Department of Electrical and Computer Engineering.
Resilient Network Coding in the Presence of Eavesdropping Byzantine Adversaries Michael Langberg Sidharth Jaggi Open University of Israel ISIT 2007 Tsinghua.
1 Network Coding and its Applications in Communication Networks Alex Sprintson Computer Engineering Group Department of Electrical and Computer Engineering.
Cooperative Recovery of Distributed Storage Systems from Multiple Losses with Network Coding Yuchong Hu, Yinlong Xu, Xiaozhao Wang, Cheng Zhan and Pei.
Erasure Coding for Real-Time Streaming Derek Leong and Tracey Ho California Institute of Technology Pasadena, California, USA ISIT
2007/03/26OPLAB, NTUIM1 A Proactive Tree Recovery Mechanism for Resilient Overlay Network Networking, IEEE/ACM Transactions on Volume 15, Issue 1, Feb.
Computer Science CSC 774 Adv. Net. Security1 Presenter: Tong Zhou 11/21/2015 Practical Broadcast Authentication in Sensor Networks.
University of Massachusetts Amherst · Department of Computer Science Square Root Law for Communication with Low Probability of Detection on AWGN Channels.
EE 685 presentation Optimization Flow Control, I: Basic Algorithm and Convergence By Steven Low and David Lapsley.
MAIN RESULT: Depending on path loss and the scaling of area relative to number of nodes, a novel hybrid scheme is required to achieve capacity, where multihop.
On Coding for Real-Time Streaming under Packet Erasures Derek Leong *#, Asma Qureshi *, and Tracey Ho * * California Institute of Technology, Pasadena,
1 The Encoding Complexity of Network Coding Michael Langberg California Institute of Technology Joint work with Jehoshua Bruck and Alex Sprintson.
The High, the Low and the Ugly Muriel Médard. Collaborators Nadia Fawaz, Andrea Goldsmith, Minji Kim, Ivana Maric 2.
Exact Regenerating Codes on Hierarchical Codes Ernst Biersack Eurecom France Joint work and Zhen Huang.
20/10/ Cooperative Recovery of Distributed Storage Systems from Multiple Losses with Network Coding Yuchong Hu Institute of Network Coding Please.
Network RS Codes for Efficient Network Adversary Localization Sidharth Jaggi Minghua Chen Hongyi Yao.
Coding and Algorithms for Memories Lecture 13 1.
A Mechanism for Communication- Efficient Broadcast Encryption over Wireless Ad Hoc Networks Johns Hopkins University Department of Computer Science Reza.
Secure Error-Correcting (SEC) Network Codes Raymond W. Yeung Institute of Network Coding & Department of Information Engineering The Chinese University.
Network Topology Single-level Diversity Coding System (DCS) An information source is encoded by a number of encoders. There are a number of decoders, each.
RS – Reed Solomon Error correcting code. Error-correcting codes are clever ways of representing data so that one can recover the original information.
Pouya Ostovari and Jie Wu Computer & Information Sciences
Double Regenerating Codes for Hierarchical Data Centers
Salim El Rouayheb ECE Department Illinois Institute of Technology
Symmetric Allocations for Distributed Storage
Maximally Recoverable Local Reconstruction Codes
Xiaoyang Zhang1, Yuchong Hu1, Patrick P. C. Lee2, Pan Zhou1
Compute-and-Forward Can Buy Secrecy Cheap
Presentation transcript:

Secret Sharing in Distributed Storage Systems Illinois Institute of Technology Nexus of Information and Computation Theories Paris, Feb 2016 Salim El Rouayheb

“How to Share a Secret?” (n,k)=(4,2) threshold secret sharing [Shamir ‘79] n=4: number of parties k=2: threshold l colluding parties Share size=1 unit Max secret size=k-l Dealer Party 1Party 2Party 3Party 4 User needs 2 shares to decode the secret S S+K S+2K S+3K K K S Secret User K: random symbol independent of S Vandermonde secret random keys

How to Store a Secret? and never lose it or reveal it Party 1Party 2Party 3Party 4 S+K S+2K S+3K K Safe Dealer Secret S+K S+2K K Party 1’ Shares stored in a distributed system “Failures are the norm rather than the exception” Google Secret leaked!

Plan for this Talk 1)How to “repair” a secret? 2 takeaways 2) How to deliver a secret? 1 takeaway

i. How to repair a secret?

Repairing a secret using secure regenerating codes Party 1Party 2Party 3Party 4 k 2 +k 3 k 3 +k 1 s+k 1 +k 2 +k 3 2k 1 +k 2 +k 3 k 1 +2k 2 +k 3 s+2k 3 s+k 1 k 1 +k 2 Dealer Secret S k 2 +k 3 s+k 1 +k 2 +k 3 k 1 +2k 2 +k 3 s+k 2 k 1 +k 2 Party 1’ Idea: minimize info observed by party 1’ Use “best” regenerating codes that minimize repair bandwidth [Dimakis et al. ‘10] Here, repair bw≥1.5 (info theoretic bound) Secret size= k-repair bw=

Separation Scheme Maximum Rank Distance code Minimum Storage Regenerating code secret keys shares Preprocessing for security Regenerating code instead of Reed- Solomon code to minimize repair bandwidth Q: Does this separation based scheme max secret size under repair dynamics? A: No! Separation is not optimal. # 1

A Scheme Better than Separation k 1, k 2, k 3 s 1, s 2 (6,5) classical secret sharing, l=3 Secret not leaked failure (n,k)= (4,2) secret sharing We can store a secret of size 2/3 >1/2 [Rashmi, Shah, Kumar, Ramchandran ‘09] [Pawar, R, Ramchandran ‘11] each share 1/3 unit Secret size= H(k shares) – H(downloaded data during repair)

General Problem Formulation n56 … No Dealer d User 1’ k n: total number of parties/nodes k: threshold to decode secret l: colluding shares d: helpers during repair d k What is the maximum secret size C s, called secrecy capacity that we can store and repair in a distributed storage system?

Secrecy Capacity Theorem: [Pawar, R., Ramchandran ‘11] The secrecy capacity of a decentralized (n,k) secret sharing with repair degree d and l colluding parties is upper bounded by Where, β is the amount of data sent by a party during the repair of a failed party. Theorem: [Pawar, R., Ramchandran ‘11] The secrecy capacity of a decentralized (n,k) secret sharing with repair degree d and l colluding parties is upper bounded by Where, β is the amount of data sent by a party during the repair of a failed party. Hard problem. Still Open in general. (more later) Maybe the problem becomes more tractable if we add constraints on the repair bw= β on each link Party 1 Party 2 Party 3 Party 4 failure (n,k)= (4,2) secret sharing β =1/3 secret size Previous scheme achieves secrecy capacity β β β

Proof Ingredients Functional instead of exact repair Flowgraph representation (Multicast) Securing minimum cuts User 1 User 2 User 3User 4

Achievability For d=n-1: k 1, k 2, …, k R s 1, s 2,.., s M-R (θ,M) classical secret sharing, l=R Party 1 Party 2 Party 3 Party n … … … … … … … … … For any d, secure MBR Product-Matrix can be used [Rashmi, Shah Kumar ‘11] Theorem: [Pawar, R., Ramchandran ‘10] Suppose β≤1/d, the secrecy capacity of a decentralized (n,k) secret sharing with repair degree d and l colluding parties is given by

Product-Matrix Codes M=M= k1k1 k2k2 k3k3 k2k2 s1s1 s2s2 k4k4 s2s2 0 4 k 1 +4k 2 +2k 3 k 2 +4s 1 +2s 2 k 3 +4s 2 1 k 1 +k 2 +k 3 k 2 +s 1 +u 2 k 3 +s 2 2 k 1 +2k 2 +4k 3 k 2 +2s 1 +4s 2 k 3 +2s 2 3 k 1 +3k 2 +2k 3 k 2 +3s 1 +2s 2 k 3 +3s 2 5 k 1 +5k 2 +4k 3 k 2 +5s 1 +4s 2 k 3 +5s 2 Vandermonde matrix Message matrix Storage System Ψ=Ψ= General form of message matrix Remark: File reconstruction follows from the use of Vandermonde matrix Example: (5,2,3), α=3 and Field size q=7 [K. V. Rashmi, N. B. Shah and P. V. Kumar, ‘11]. 3’..

Back to the Original Problem with no BW Constraints Theorem: [Tandon et al. ’14] The previous schemes achieve capacity in the non-bw constrained regime in the following cases: 1) (n,n-1) perfect (i.e. l=n-2) secret sharing, with d=n-1, by 2) (n,2) perfect (l=1) secret sharing and any repair degree d, Theorem: [Tandon et al. ’14] The previous schemes achieve capacity in the non-bw constrained regime in the following cases: 1) (n,n-1) perfect (i.e. l=n-2) secret sharing, with d=n-1, by 2) (n,2) perfect (l=1) secret sharing and any repair degree d, Party 1 Party 2 Party 3 Party 4 failure (n,k)= (4,2) secret sharing β =1/3 secret size Previous scheme achieves secrecy capacity β β β

Beyond Bandwidth Limited regime (cont’d) We want to show that for any β: Secrecy: D 1 =(D 21,D 31,D 41 )D 1 =(D 21,D 31,D 41 ) W2W2 W3W3 W4W4 W1W1 Party 1Party 2Party 3Party 4 Party 1’ D 21 D 31 D 41 W1W1 (n,k)=(4,2) secret sharing l=1 Similarly

Open Problems Characterization of the secrecy capacity for any (n,k) secret sharing with any d and l. Security in the case of functional repair? What if the parties are malicious? [Bitar, ER ‘15] [Pawar, ER, Ramchandran ‘11] MDS codes are everywhere. What is the maximum secret size that they can achieve? (n,k) secret sharing k=2k=3k=4…k=n-2k=n-1 Perfect secret sharing (l=k-1) Imperfect secret sharing (l<k-1) Table 1: Summary of results

How to repair MDS (Shamir’s) Scheme? Theorem: [Goparaju, R., Calderbank, Poor Netcod ’13] The linear secure capacity of an (n,k) storage system with exact repair is where l is the nbr of eavesdropping parties Achievable for d=n-1 (contact all available nodes when repairing) n56 … d User 1’ k (n,k) MDS code l colluding parties repair degree d

Information Leakage Theorem: [Goparaju, R., Calderbank, Poor Netcod ’13] The linear secure capacity of an (n,k=n-2) storage system with exact repair is Max secret size decreases exponentially with l. # 2

The Linear case 1’1’ 5’5’ Theorem: [Goparaju, R., Calderbank, Poor Netcod ’13] (n,k)=(5,3) l=2 colluding parties Data observed by the l parties = Data stored on parties 1’ and 5’ + Data downloaded from party 2

A Taste of the Proof… 1’1’ S3S3 S k+1 S k+2 Party 1’ downloads: Analogy to interference alignment Write these subspace conditions for all failures Use them to proof theorem by induction ??

Secure Code Construction file Storage system MRD Zigzag codes Keys Maximum rank distance [Tamo et al.’11 ] [Silberstein et al.’12 ] Zigzag Codes Upper bound achievable if all nodes can be wiretapped? Do functional repair and/or non-linear coding increase secure capacity? What about d<n-1? Open problems:

ii. How to deliver a secret?

What is the communication cost of delivering the secret to a user? (n,k)=(4,2) secret sharing with l=1 colluding parties User 1 User User 1 downloads 2 units Can decode the secret and the key But, doesn’t want the key User 2 contacts 3 shares and downloads 3/2 units S+2K S+3K K S+K s 1 +k 1 s 2 +k 2 s 2 +k 1 s 1 +k 2 k1k2k1k2 s 1 +s 2 +k 1 s 1+ 2s 2 +k 2 S s 1,s 2 S k k 1,k 2 s 1,s 2 k1k1 s 1 +k 1 s 2 +k 1 k1k1 d=3 Comm. cost can be decreased bc user does not need to decode the keys. # 3

How to Deliver a Secret? Characterization of the minimum communication cost (CC(d)) for a given d Achievability of the bound for d=n via deterministic, Reed-Solomon based, codes Achievability of the bound simultaneously for all d, k≤d≤n, via random codes Theorem: [Huang, Langberg, Kliewer, Bruck ’15] User 1 User s 1 +k 1 s 2 +k 2 s 2 +k 1 s 1 +k 2 k1k2k1k2 s 1 +s 2 +k 1 s 1+ 2s 2 +k 2 s 1,s 2 k 1,k 2 s 1,s 2 k1k1 s 1 +k 1 s 2 +k 1 k1k1 d=3

Staircase codes Theorem: [Bitar, El Rouayheb ISIT’16] The (n,k) universal staircase code constructed as follows in GF(q), q≥n, achieves minimum communication cost for any d, such that k≤d≤n. Theorem: [Bitar, El Rouayheb ISIT’16] There exists an (n,k,d) staircase code constructed in GF(q), q≥n, and that achieves minimum communication cost for k≤d≤n and any l<k. Vandermonde

(4,2) Universal Staircase Codes Encoding s 1 +s 2 +s 3 +k 1 s 1 +2s 2 +4s 3 +3k 1 s 1 +3s 2 +4s 3 +2k 1 s 1 +4s 2 +s 3 +4k 1 k 3 +k 6 s 4 +s 5 +s 6 +k 2 k 1 +k 2 +k 3 s 3 +k 4 s 6 +k 5 k 3 +2k 6 s 4 +2s 5 +4s 6 +3k 2 k 1 +2k 2 +4k 3 s 3 +2k 4 s 6 +2k 5 k 3 +3k 6 s 4 +3s 5 +4s 6 +2k 2 k 1 +3k 2 +4k 3 s 3 +3k 4 s 6 +3k 5 k 3 +4k 6 s 4 +4s 5 +s 6 +4k 2 k 1 +4k 2 +k 3 s 3 +4k 4 s 6 +4k 5 Party 1 Party 2Party 3Party 4 User s 3, s 6, k 3, k 4, k 5, k 6 k 1, k 2 s 1, s 2, s 4, s 5 k 1, k 2, k 3 s 1, s 2, s 3, s 4, s 4, s 6 User downloads: 12 packets,9 packets, 8 packets. s 1, s 2, s 3, s 4, s 4, s 6

Open problems Is there a Communication Efficient Secret Sharing schemes with general access structure, i.e., beyond threshold secret sharing? What if the dealer does not have direct access to the parties, but can reach them through a network? What if the shares are controlled by a malicious adversary? Repairable secret shares with min communication cost?

QUESTIONS?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.