Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secret Sharing in Distributed Storage Systems Illinois Institute of Technology Nexus of Information and Computation Theories Paris, Feb 2016 Salim El Rouayheb.

Published byBerniece Sims Modified over 8 years ago

Similar presentations

Presentation on theme: "Secret Sharing in Distributed Storage Systems Illinois Institute of Technology Nexus of Information and Computation Theories Paris, Feb 2016 Salim El Rouayheb."— Presentation transcript:

1 Secret Sharing in Distributed Storage Systems Illinois Institute of Technology Nexus of Information and Computation Theories Paris, Feb 2016 Salim El Rouayheb

2 “How to Share a Secret?” (n,k)=(4,2) threshold secret sharing [Shamir ‘79] n=4: number of parties k=2: threshold l colluding parties Share size=1 unit Max secret size=k-l Dealer Party 1Party 2Party 3Party 4 User needs 2 shares to decode the secret S S+K S+2K S+3K K K S Secret User K: random symbol independent of S Vandermonde secret random keys

3 How to Store a Secret? and never lose it or reveal it Party 1Party 2Party 3Party 4 S+K S+2K S+3K K Safe Dealer Secret S+K S+2K K Party 1’ Shares stored in a distributed system “Failures are the norm rather than the exception” Google Secret leaked!

4 Plan for this Talk 1)How to “repair” a secret? 2 takeaways 2) How to deliver a secret? 1 takeaway

5 i. How to repair a secret?

6 Repairing a secret using secure regenerating codes Party 1Party 2Party 3Party 4 k 2 +k 3 k 3 +k 1 s+k 1 +k 2 +k 3 2k 1 +k 2 +k 3 k 1 +2k 2 +k 3 s+2k 3 s+k 1 k 1 +k 2 Dealer Secret S k 2 +k 3 s+k 1 +k 2 +k 3 k 1 +2k 2 +k 3 s+k 2 k 1 +k 2 Party 1’ Idea: minimize info observed by party 1’ Use “best” regenerating codes that minimize repair bandwidth [Dimakis et al. ‘10] Here, repair bw≥1.5 (info theoretic bound) Secret size= k-repair bw=0.5 0.5

7 Separation Scheme Maximum Rank Distance code Minimum Storage Regenerating code secret keys shares Preprocessing for security Regenerating code instead of Reed- Solomon code to minimize repair bandwidth Q: Does this separation based scheme max secret size under repair dynamics? A: No! Separation is not optimal. # 1

8 A Scheme Better than Separation k 1, k 2, k 3 s 1, s 2 (6,5) classical secret sharing, l=3 Secret not leaked failure (n,k)= (4,2) secret sharing We can store a secret of size 2/3 >1/2 [Rashmi, Shah, Kumar, Ramchandran ‘09] [Pawar, R, Ramchandran ‘11] each share 1/3 unit Secret size= H(k shares) – H(downloaded data during repair)

9 General Problem Formulation... 1234n56 … No Dealer d User 1’ k n: total number of parties/nodes k: threshold to decode secret l: colluding shares d: helpers during repair d k What is the maximum secret size C s, called secrecy capacity that we can store and repair in a distributed storage system?

10 Secrecy Capacity Theorem: [Pawar, R., Ramchandran ‘11] The secrecy capacity of a decentralized (n,k) secret sharing with repair degree d and l colluding parties is upper bounded by Where, β is the amount of data sent by a party during the repair of a failed party. Theorem: [Pawar, R., Ramchandran ‘11] The secrecy capacity of a decentralized (n,k) secret sharing with repair degree d and l colluding parties is upper bounded by Where, β is the amount of data sent by a party during the repair of a failed party. Hard problem. Still Open in general. (more later) Maybe the problem becomes more tractable if we add constraints on the repair bw= β on each link Party 1 Party 2 Party 3 Party 4 failure (n,k)= (4,2) secret sharing β =1/3 secret size Previous scheme achieves secrecy capacity β β β

11 Proof Ingredients Functional instead of exact repair Flowgraph representation (Multicast) Securing minimum cuts User 1 User 2 User 3User 4

12 Achievability For d=n-1: k 1, k 2, …, k R s 1, s 2,.., s M-R (θ,M) classical secret sharing, l=R Party 1 Party 2 Party 3 Party n … … … … … … … … … For any d, secure MBR Product-Matrix can be used [Rashmi, Shah Kumar ‘11] Theorem: [Pawar, R., Ramchandran ‘10] Suppose β≤1/d, the secrecy capacity of a decentralized (n,k) secret sharing with repair degree d and l colluding parties is given by

13 Product-Matrix Codes M=M= k1k1 k2k2 k3k3 k2k2 s1s1 s2s2 k4k4 s2s2 0 4 k 1 +4k 2 +2k 3 k 2 +4s 1 +2s 2 k 3 +4s 2 1 k 1 +k 2 +k 3 k 2 +s 1 +u 2 k 3 +s 2 2 k 1 +2k 2 +4k 3 k 2 +2s 1 +4s 2 k 3 +2s 2 3 k 1 +3k 2 +2k 3 k 2 +3s 1 +2s 2 k 3 +3s 2 5 k 1 +5k 2 +4k 3 k 2 +5s 1 +4s 2 k 3 +5s 2 Vandermonde matrix Message matrix Storage System Ψ=Ψ= 111 124 132 142 154 General form of message matrix Remark: File reconstruction follows from the use of Vandermonde matrix Example: (5,2,3), α=3 and Field size q=7 [K. V. Rashmi, N. B. Shah and P. V. Kumar, ‘11]. 3’..

14 Back to the Original Problem with no BW Constraints Theorem: [Tandon et al. ’14] The previous schemes achieve capacity in the non-bw constrained regime in the following cases: 1) (n,n-1) perfect (i.e. l=n-2) secret sharing, with d=n-1, by 2) (n,2) perfect (l=1) secret sharing and any repair degree d, Theorem: [Tandon et al. ’14] The previous schemes achieve capacity in the non-bw constrained regime in the following cases: 1) (n,n-1) perfect (i.e. l=n-2) secret sharing, with d=n-1, by 2) (n,2) perfect (l=1) secret sharing and any repair degree d, Party 1 Party 2 Party 3 Party 4 failure (n,k)= (4,2) secret sharing β =1/3 secret size Previous scheme achieves secrecy capacity β β β

15 Beyond Bandwidth Limited regime (cont’d) We want to show that for any β: Secrecy: D 1 =(D 21,D 31,D 41 )D 1 =(D 21,D 31,D 41 ) W2W2 W3W3 W4W4 W1W1 Party 1Party 2Party 3Party 4 Party 1’ D 21 D 31 D 41 W1W1 (n,k)=(4,2) secret sharing l=1 Similarly

16 Open Problems Characterization of the secrecy capacity for any (n,k) secret sharing with any d and l. Security in the case of functional repair? What if the parties are malicious? [Bitar, ER ‘15] [Pawar, ER, Ramchandran ‘11] MDS codes are everywhere. What is the maximum secret size that they can achieve? (n,k) secret sharing k=2k=3k=4…k=n-2k=n-1 Perfect secret sharing (l=k-1) Imperfect secret sharing (l<k-1) Table 1: Summary of results

17 How to repair MDS (Shamir’s) Scheme? Theorem: [Goparaju, R., Calderbank, Poor Netcod ’13] The linear secure capacity of an (n,k) storage system with exact repair is where l is the nbr of eavesdropping parties Achievable for d=n-1 (contact all available nodes when repairing)... 1234n56 … d User 1’ k (n,k) MDS code l colluding parties repair degree d

18 Information Leakage...... Theorem: [Goparaju, R., Calderbank, Poor Netcod ’13] The linear secure capacity of an (n,k=n-2) storage system with exact repair is Max secret size decreases exponentially with l. # 2

19 The Linear case 1’1’ 5’5’ Theorem: [Goparaju, R., Calderbank, Poor Netcod ’13] (n,k)=(5,3) l=2 colluding parties Data observed by the l parties = Data stored on parties 1’ and 5’ + Data downloaded from party 2

20 A Taste of the Proof… 1’1’ S3S3 S k+1 S k+2 Party 1’ downloads: Analogy to interference alignment Write these subspace conditions for all failures Use them to proof theorem by induction ??

21 Secure Code Construction file Storage system MRD Zigzag codes Keys Maximum rank distance [Tamo et al.’11 ] [Silberstein et al.’12 ] Zigzag Codes Upper bound achievable if all nodes can be wiretapped? Do functional repair and/or non-linear coding increase secure capacity? What about d<n-1? Open problems:

22 ii. How to deliver a secret?

23 What is the communication cost of delivering the secret to a user? (n,k)=(4,2) secret sharing with l=1 colluding parties User 1 User 2 1 2 3 4 User 1 downloads 2 units Can decode the secret and the key But, doesn’t want the key User 2 contacts 3 shares and downloads 3/2 units S+2K S+3K K S+K s 1 +k 1 s 2 +k 2 s 2 +k 1 s 1 +k 2 k1k2k1k2 s 1 +s 2 +k 1 s 1+ 2s 2 +k 2 S s 1,s 2 S k k 1,k 2 s 1,s 2 k1k1 s 1 +k 1 s 2 +k 1 k1k1 d=3 Comm. cost can be decreased bc user does not need to decode the keys. # 3

24 How to Deliver a Secret? Characterization of the minimum communication cost (CC(d)) for a given d Achievability of the bound for d=n via deterministic, Reed-Solomon based, codes Achievability of the bound simultaneously for all d, k≤d≤n, via random codes Theorem: [Huang, Langberg, Kliewer, Bruck ’15] User 1 User 2 1 2 3 4 s 1 +k 1 s 2 +k 2 s 2 +k 1 s 1 +k 2 k1k2k1k2 s 1 +s 2 +k 1 s 1+ 2s 2 +k 2 s 1,s 2 k 1,k 2 s 1,s 2 k1k1 s 1 +k 1 s 2 +k 1 k1k1 d=3

25 Staircase codes Theorem: [Bitar, El Rouayheb ISIT’16] The (n,k) universal staircase code constructed as follows in GF(q), q≥n, achieves minimum communication cost for any d, such that k≤d≤n. Theorem: [Bitar, El Rouayheb ISIT’16] There exists an (n,k,d) staircase code constructed in GF(q), q≥n, and that achieves minimum communication cost for k≤d≤n and any l<k. Vandermonde

26 (4,2) Universal Staircase Codes Encoding s 1 +s 2 +s 3 +k 1 s 1 +2s 2 +4s 3 +3k 1 s 1 +3s 2 +4s 3 +2k 1 s 1 +4s 2 +s 3 +4k 1 k 3 +k 6 s 4 +s 5 +s 6 +k 2 k 1 +k 2 +k 3 s 3 +k 4 s 6 +k 5 k 3 +2k 6 s 4 +2s 5 +4s 6 +3k 2 k 1 +2k 2 +4k 3 s 3 +2k 4 s 6 +2k 5 k 3 +3k 6 s 4 +3s 5 +4s 6 +2k 2 k 1 +3k 2 +4k 3 s 3 +3k 4 s 6 +3k 5 k 3 +4k 6 s 4 +4s 5 +s 6 +4k 2 k 1 +4k 2 +k 3 s 3 +4k 4 s 6 +4k 5 Party 1 Party 2Party 3Party 4 User s 3, s 6, k 3, k 4, k 5, k 6 k 1, k 2 s 1, s 2, s 4, s 5 k 1, k 2, k 3 s 1, s 2, s 3, s 4, s 4, s 6 User downloads: 12 packets,9 packets, 8 packets. s 1, s 2, s 3, s 4, s 4, s 6

27 Open problems Is there a Communication Efficient Secret Sharing schemes with general access structure, i.e., beyond threshold secret sharing? What if the dealer does not have direct access to the parties, but can reach them through a network? What if the shares are controlled by a malicious adversary? Repairable secret shares with min communication cost?

28 QUESTIONS?

Download ppt "Secret Sharing in Distributed Storage Systems Illinois Institute of Technology Nexus of Information and Computation Theories Paris, Feb 2016 Salim El Rouayheb."

Similar presentations

Analysis and Construction of Functional Regenerating Codes with Uncoded Repair for Distributed Storage Systems Yuchong Hu, Patrick P. C. Lee, Kenneth.

Analysis and Construction of Functional Regenerating Codes with Uncoded Repair for Distributed Storage Systems Yuchong Hu, Patrick P. C. Lee, Kenneth.
current hadoop architecture

current hadoop architecture
Alex Dimakis based on collaborations with Dimitris Papailiopoulos Arash Saber Tehrani USC Network Coding for Distributed Storage.

Alex Dimakis based on collaborations with Dimitris Papailiopoulos Arash Saber Tehrani USC Network Coding for Distributed Storage.
Henry C. H. Chen and Patrick P. C. Lee

Henry C. H. Chen and Patrick P. C. Lee
1 NCFS: On the Practicality and Extensibility of a Network-Coding-Based Distributed File System Yuchong Hu 1, Chiu-Man Yu 2, Yan-Kit Li 2 Patrick P. C.

1 NCFS: On the Practicality and Extensibility of a Network-Coding-Based Distributed File System Yuchong Hu 1, Chiu-Man Yu 2, Yan-Kit Li 2 Patrick P. C.
On error and erasure correction coding for networks and deadlines Tracey Ho Caltech NTU, November 2011.

On error and erasure correction coding for networks and deadlines Tracey Ho Caltech NTU, November 2011.
Digital Fountain Codes V. S

Digital Fountain Codes V. S
May 24, 2005STOC 2005, Baltimore1 Limits to List Decoding Reed-Solomon Codes Venkatesan Guruswami Atri Rudra (University of Washington)

May 24, 2005STOC 2005, Baltimore1 Limits to List Decoding Reed-Solomon Codes Venkatesan Guruswami Atri Rudra (University of Washington)
BASIC Regenerating Codes for Distributed Storage Systems Kenneth Shum (Joint work with Minghua Chen, Hanxu Hou and Hui Li)

BASIC Regenerating Codes for Distributed Storage Systems Kenneth Shum (Joint work with Minghua Chen, Hanxu Hou and Hui Li)
236601 - Coding and Algorithms for Memories Lecture 12 1.

Coding and Algorithms for Memories Lecture 12 1.
Simple Regenerating Codes: Network Coding for Cloud Storage Dimitris S. Papailiopoulos, Jianqiang Luo, Alexandros G. Dimakis, Cheng Huang, and Jin Li University.

Simple Regenerating Codes: Network Coding for Cloud Storage Dimitris S. Papailiopoulos, Jianqiang Luo, Alexandros G. Dimakis, Cheng Huang, and Jin Li University.
Yuchong Hu1, Henry C. H. Chen1, Patrick P. C. Lee1, Yang Tang2

Yuchong Hu1, Henry C. H. Chen1, Patrick P. C. Lee1, Yang Tang2
PAUL CUFF ELECTRICAL ENGINEERING PRINCETON UNIVERSITY Causal Secrecy: An Informed Eavesdropper.

PAUL CUFF ELECTRICAL ENGINEERING PRINCETON UNIVERSITY Causal Secrecy: An Informed Eavesdropper.
Multicut Lower Bounds via Network Coding Anna Blasiak Cornell University.

Multicut Lower Bounds via Network Coding Anna Blasiak Cornell University.
Paul Cuff THE SOURCE CODING SIDE OF SECRECY TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA.

Paul Cuff THE SOURCE CODING SIDE OF SECRECY TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA.
Beyond the MDS Bound in Distributed Cloud Storage

Beyond the MDS Bound in Distributed Cloud Storage
Information Theoretical Security and Secure Network Coding NCIS11 Ning Cai May 14, 2011 Xidian University.

Information Theoretical Security and Secure Network Coding NCIS11 Ning Cai May 14, 2011 Xidian University.
Coding for Atomic Shared Memory Emulation Viveck R. Cadambe (MIT) Joint with Prof. Nancy Lynch (MIT), Prof. Muriel Médard (MIT) and Dr. Peter Musial (EMC)

Coding for Atomic Shared Memory Emulation Viveck R. Cadambe (MIT) Joint with Prof. Nancy Lynch (MIT), Prof. Muriel Médard (MIT) and Dr. Peter Musial (EMC)
1 Network Coding: Theory and Practice Apirath Limmanee Jacobs University.

1 Network Coding: Theory and Practice Apirath Limmanee Jacobs University.
June 4, 2015 On the Capacity of a Class of Cognitive Radios Sriram Sridharan in collaboration with Dr. Sriram Vishwanath Wireless Networking and Communications.

June 4, 2015 On the Capacity of a Class of Cognitive Radios Sriram Sridharan in collaboration with Dr. Sriram Vishwanath Wireless Networking and Communications.

Similar presentations

Ads by Google