Secure Distributed Storage Systems
Eirik Rosnes
Simula@UiB, N-5020 Bergen, Norway
Institut Mittag-LefflerMay 16, 2017
Distributed storage systems (DSSs) Security References
Outline
1. Distributed storage systems (DSSs)MotivationErasure correcting codesRegenerating codes
2. SecurityIntroductionSecurity modelsOverview of some secure codesBlock/weak security
Secure DSSs | E. Rosnes 1 / 45
Distributed storage systems (DSSs) Security References
Acknowledgment
Alexandre Graell i AmatProfessor at Chalmers
Siddhartha KumarPhD student (UoB)
Secure DSSs | E. Rosnes 2 / 45
Distributed storage systems (DSSs) Security References
Motivation
• The amount of digital data generated grows 40% per year.
• 40 ZB (1 ZB= 1021 bytes) of data will be generated yearly by 2020.(1.8 ZB was generated in 2011.)
Need to store, process, and deliver massive amounts of data.
• Inexpensively
• Reliably
Secure DSSs | E. Rosnes 3 / 45
Distributed storage systems (DSSs) Security References
Motivation
• The amount of digital data generated grows 40% per year.
• 40 ZB (1 ZB= 1021 bytes) of data will be generated yearly by 2020.(1.8 ZB was generated in 2011.)
Need to store, process, and deliver massive amounts of data.
• Inexpensively
• Reliably
Secure DSSs | E. Rosnes 3 / 45
Distributed storage systems (DSSs) Security References
Motivation
• The amount of digital data generated grows 40% per year.• 40 ZB (1 ZB= 1021 bytes) of data will be generated yearly by 2020.
(1.8 ZB was generated in 2011.)
Need to store, process, and deliver massive amounts of data.
• Inexpensively
• Reliably
Secure DSSs | E. Rosnes 3 / 45
Distributed storage systems (DSSs) Security References
Motivation
• The amount of digital data generated grows 40% per year.• 40 ZB (1 ZB= 1021 bytes) of data will be generated yearly by 2020.
(1.8 ZB was generated in 2011.)
Need to store, process, and deliver massive amounts of data.
• Inexpensively
• Reliably
Secure DSSs | E. Rosnes 3 / 45
Distributed storage systems (DSSs) Security References
Motivation
• The amount of digital data generated grows 40% per year.• 40 ZB (1 ZB= 1021 bytes) of data will be generated yearly by 2020.
(1.8 ZB was generated in 2011.)
Need to store, process, and deliver massive amounts of data.
• Inexpensively
• Reliably
Secure DSSs | E. Rosnes 3 / 45
Distributed storage systems (DSSs) Security References
Motivation
• The amount of digital data generated grows 40% per year.• 40 ZB (1 ZB= 1021 bytes) of data will be generated yearly by 2020.
(1.8 ZB was generated in 2011.)
Need to store, process, and deliver massive amounts of data.• Inexpensively
• Reliably
Secure DSSs | E. Rosnes 3 / 45
Distributed storage systems (DSSs) Security References
Motivation
• The amount of digital data generated grows 40% per year.• 40 ZB (1 ZB= 1021 bytes) of data will be generated yearly by 2020.
(1.8 ZB was generated in 2011.)
Need to store, process, and deliver massive amounts of data.• Inexpensively• Reliably
Secure DSSs | E. Rosnes 3 / 45
Distributed storage systems (DSSs) Security References
Motivation
• The amount of digital data generated grows 40% per year.• 40 ZB (1 ZB= 1021 bytes) of data will be generated yearly by 2020.
(1.8 ZB was generated in 2011.)
Need to store, process, and deliver massive amounts of data.• Inexpensively• Reliably
Secure DSSs | E. Rosnes 3 / 45
Distributed storage systems (DSSs) Security References
Motivation
2005 2009 2013 20200
1
2
3
4
·104
Year
Exab
ytes
(1018
byte
s)
Secure DSSs | E. Rosnes 4 / 45
Distributed storage systems (DSSs) Security References
Motivation
2005 2009 2013 20200
1
2
3
4
·104
Year
Exab
ytes
(1018
byte
s)
Secure DSSs | E. Rosnes 4 / 45
Distributed storage systems (DSSs) Security References
Data storage in the old times
In the old times...• Single pieces of very reliable hardware
→ very expensive!
Secure DSSs | E. Rosnes 5 / 45
Distributed storage systems (DSSs) Security References
Data storage in the old times
In the old times...• Single pieces of very reliable hardware → very expensive!
Secure DSSs | E. Rosnes 5 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
Distributed storage• Data is stored across multiple interconnected inexpensive storage units in a
distributed fashion.
• Individual storage units (storage nodes) are unreliable, but reliability isprovided globally.
Secure DSSs | E. Rosnes 6 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
Distributed storage• Data is stored across multiple interconnected inexpensive storage units in a
distributed fashion.• Individual storage units (storage nodes) are unreliable, but reliability is
provided globally.
Secure DSSs | E. Rosnes 6 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
• Individual storage nodes are prone to failures → need to provide resilienceto node failures (fault tolerance).
• Basic approach: Replication.• Data is stored in a distributed fashion across three storage nodes.• Individual nodes are unreliable, but the system provides reliability globally.
Secure DSSs | E. Rosnes 7 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
• Individual storage nodes are prone to failures → need to provide resilienceto node failures (fault tolerance).
• Basic approach: Replication.• Data is stored in a distributed fashion across three storage nodes.• Individual nodes are unreliable, but the system provides reliability globally.
Secure DSSs | E. Rosnes 7 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
• Individual storage nodes are prone to failures → need to provide resilienceto node failures (fault tolerance).
• Basic approach: Replication.• Data is stored in a distributed fashion across three storage nodes.• Individual nodes are unreliable, but the system provides reliability globally.
Secure DSSs | E. Rosnes 7 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
• Individual storage nodes are prone to failures → need to provide resilienceto node failures (fault tolerance).
• Basic approach: Replication.• Data is stored in a distributed fashion across three storage nodes.• Individual nodes are unreliable, but the system provides reliability globally.
Secure DSSs | E. Rosnes 7 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
• Individual storage nodes are prone to failures → need to provide resilienceto node failures (fault tolerance).
• Basic approach: Replication.• Data is stored in a distributed fashion across three storage nodes.• Individual nodes are unreliable, but the system provides reliability globally.
Secure DSSs | E. Rosnes 7 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
• Individual storage nodes are prone to failures → need to provide resilienceto node failures (fault tolerance).
• Basic approach: Replication.• Data is stored in a distributed fashion across three storage nodes.• Individual nodes are unreliable, but the system provides reliability globally.
Secure DSSs | E. Rosnes 7 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
• Individual storage nodes are prone to failures → need to provide resilienceto node failures (fault tolerance).
• Basic approach: Replication.
• Data is stored in a distributed fashion across three storage nodes.• Individual nodes are unreliable, but the system provides reliability globally.
Secure DSSs | E. Rosnes 7 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
• Individual storage nodes are prone to failures → need to provide resilienceto node failures (fault tolerance).
• Basic approach: Replication.
• Data is stored in a distributed fashion across three storage nodes.• Individual nodes are unreliable, but the system provides reliability globally.
Secure DSSs | E. Rosnes 7 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
• Individual storage nodes are prone to failures → need to provide resilienceto node failures (fault tolerance).
• Basic approach: Replication.
• Data is stored in a distributed fashion across three storage nodes.• Individual nodes are unreliable, but the system provides reliability globally.
Secure DSSs | E. Rosnes 7 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
• Individual storage nodes are prone to failures → need to provide resilienceto node failures (fault tolerance).
• Basic approach: Replication.
• Data is stored in a distributed fashion across three storage nodes.• Individual nodes are unreliable, but the system provides reliability globally.
Secure DSSs | E. Rosnes 7 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
• Individual storage nodes are prone to failures → need to provide resilienceto node failures (fault tolerance).
• Basic approach: Replication.
• Data is stored in a distributed fashion across three storage nodes.• Individual nodes are unreliable, but the system provides reliability globally.
Secure DSSs | E. Rosnes 7 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
• Individual storage nodes are prone to failures → need to provide resilienceto node failures (fault tolerance).
• Basic approach: Replication.• Data is stored in a distributed fashion across three storage nodes.
• Individual nodes are unreliable, but the system provides reliability globally.
Secure DSSs | E. Rosnes 7 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
• Individual storage nodes are prone to failures → need to provide resilienceto node failures (fault tolerance).
• Basic approach: Replication.• Data is stored in a distributed fashion across three storage nodes.• Individual nodes are unreliable, but the system provides reliability globally.
Secure DSSs | E. Rosnes 7 / 45
Distributed storage systems (DSSs) Security References
ReplicationReplication: Replicate the data n times
• Simple, but...
high storage overhead → very costly in terms of hardware,real-state, maintenance (cooling)...
• Need to reduce the storage overhead!
Can we do better?
Secure DSSs | E. Rosnes 8 / 45
Distributed storage systems (DSSs) Security References
ReplicationReplication: Replicate the data n times
• Simple, but... high storage overhead
→ very costly in terms of hardware,real-state, maintenance (cooling)...
• Need to reduce the storage overhead!
Can we do better?
Secure DSSs | E. Rosnes 8 / 45
Distributed storage systems (DSSs) Security References
ReplicationReplication: Replicate the data n times
• Simple, but... high storage overhead
→ very costly in terms of hardware,real-state, maintenance (cooling)...
• Need to reduce the storage overhead!
Can we do better?
Secure DSSs | E. Rosnes 8 / 45
Distributed storage systems (DSSs) Security References
ReplicationReplication: Replicate the data n times
• Simple, but... high storage overhead
→ very costly in terms of hardware,real-state, maintenance (cooling)...
• Need to reduce the storage overhead!
Can we do better?
Secure DSSs | E. Rosnes 8 / 45
Distributed storage systems (DSSs) Security References
ReplicationReplication: Replicate the data n times
• Simple, but... high storage overhead
→ very costly in terms of hardware,real-state, maintenance (cooling)...
• Need to reduce the storage overhead!
Can we do better?
Secure DSSs | E. Rosnes 8 / 45
Distributed storage systems (DSSs) Security References
ReplicationReplication: Replicate the data n times
• Simple, but... high storage overhead → very costly in terms of hardware,real-state, maintenance (cooling)...
• Need to reduce the storage overhead!
Can we do better?
Secure DSSs | E. Rosnes 8 / 45
Distributed storage systems (DSSs) Security References
ReplicationReplication: Replicate the data n times
• Simple, but... high storage overhead → very costly in terms of hardware,real-state, maintenance (cooling)...
• Need to reduce the storage overhead!
Can we do better?
Secure DSSs | E. Rosnes 8 / 45
Distributed storage systems (DSSs) Security References
ReplicationReplication: Replicate the data n times
• Simple, but... high storage overhead → very costly in terms of hardware,real-state, maintenance (cooling)...
• Need to reduce the storage overhead!
Can we do better?Secure DSSs | E. Rosnes 8 / 45
Distributed storage systems (DSSs) Security References
Distributed storage using erasure correcting codes
(n, k) erasure correcting codeTransforms a sequence of k symbols into a sequence of n > k symbols, addingn − k symbols of redundancy.
The n − k extra symbols help in recovering theoriginal data in case some of the n symbols are lost (erased).
... ...k data symbols n − k parity symbols
k data nodes n − k parity nodes
Secure DSSs | E. Rosnes 9 / 45
Distributed storage systems (DSSs) Security References
Distributed storage using erasure correcting codes
(n, k) erasure correcting codeTransforms a sequence of k symbols into a sequence of n > k symbols, addingn − k symbols of redundancy. The n − k extra symbols help in recovering theoriginal data in case some of the n symbols are lost (erased).
... ...k data symbols n − k parity symbols
k data nodes n − k parity nodes
Secure DSSs | E. Rosnes 9 / 45
Distributed storage systems (DSSs) Security References
Distributed storage using erasure correcting codes
(n, k) erasure correcting codeTransforms a sequence of k symbols into a sequence of n > k symbols, addingn − k symbols of redundancy. The n − k extra symbols help in recovering theoriginal data in case some of the n symbols are lost (erased).
...
...
k data symbols
n − k parity symbols
k data nodes n − k parity nodes
Secure DSSs | E. Rosnes 9 / 45
Distributed storage systems (DSSs) Security References
Distributed storage using erasure correcting codes
(n, k) erasure correcting codeTransforms a sequence of k symbols into a sequence of n > k symbols, addingn − k symbols of redundancy. The n − k extra symbols help in recovering theoriginal data in case some of the n symbols are lost (erased).
... ...k data symbols n − k parity symbols
k data nodes n − k parity nodes
Secure DSSs | E. Rosnes 9 / 45
Distributed storage systems (DSSs) Security References
Distributed storage using erasure correcting codes
(n, k) erasure correcting codeTransforms a sequence of k symbols into a sequence of n > k symbols, addingn − k symbols of redundancy. The n − k extra symbols help in recovering theoriginal data in case some of the n symbols are lost (erased).
... ...k data symbols n − k parity symbols
k data nodes n − k parity nodes
Secure DSSs | E. Rosnes 9 / 45
Distributed storage systems (DSSs) Security References
Distributed storage using erasure correcting codes
(n, k) erasure correcting codeTransforms a sequence of k symbols into a sequence of n > k symbols, addingn − k symbols of redundancy. The n − k extra symbols help in recovering theoriginal data in case some of the n symbols are lost (erased).
... ...
k data symbols n − k parity symbols
k data nodes n − k parity nodes
Secure DSSs | E. Rosnes 9 / 45
Distributed storage systems (DSSs) Security References
Distributed storage using erasure correcting codes
Example: (9, 7) maximum distance separable (MDS) code. t = 2
• A piece of data is divided into k = 7 symbols,
and encoded into n = 9symbols. (We add n − k = 2 symbols of redundancy.)
• 7 nodes store the plain data,
2 nodes store redundancy.
• The data can be retrieved from any subset of 7 storage nodes.• Storage overhead n/k = 1.28 (n/k = 3 for 3-replication).
Secure DSSs | E. Rosnes 10 / 45
Distributed storage systems (DSSs) Security References
Distributed storage using erasure correcting codes
Example: (9, 7) maximum distance separable (MDS) code. t = 2• A piece of data is divided into k = 7 symbols,
and encoded into n = 9symbols. (We add n − k = 2 symbols of redundancy.)
• 7 nodes store the plain data,
2 nodes store redundancy.
• The data can be retrieved from any subset of 7 storage nodes.• Storage overhead n/k = 1.28 (n/k = 3 for 3-replication).
Secure DSSs | E. Rosnes 10 / 45
Distributed storage systems (DSSs) Security References
Distributed storage using erasure correcting codes
Example: (9, 7) maximum distance separable (MDS) code. t = 2• A piece of data is divided into k = 7 symbols, and encoded into n = 9
symbols. (We add n − k = 2 symbols of redundancy.)
• 7 nodes store the plain data,
2 nodes store redundancy.
• The data can be retrieved from any subset of 7 storage nodes.• Storage overhead n/k = 1.28 (n/k = 3 for 3-replication).
Secure DSSs | E. Rosnes 10 / 45
Distributed storage systems (DSSs) Security References
Distributed storage using erasure correcting codes
Example: (9, 7) maximum distance separable (MDS) code. t = 2• A piece of data is divided into k = 7 symbols, and encoded into n = 9
symbols. (We add n − k = 2 symbols of redundancy.)• 7 nodes store the plain data,
2 nodes store redundancy.• The data can be retrieved from any subset of 7 storage nodes.• Storage overhead n/k = 1.28 (n/k = 3 for 3-replication).
Secure DSSs | E. Rosnes 10 / 45
Distributed storage systems (DSSs) Security References
Distributed storage using erasure correcting codes
Example: (9, 7) maximum distance separable (MDS) code. t = 2• A piece of data is divided into k = 7 symbols, and encoded into n = 9
symbols. (We add n − k = 2 symbols of redundancy.)• 7 nodes store the plain data, 2 nodes store redundancy.
• The data can be retrieved from any subset of 7 storage nodes.• Storage overhead n/k = 1.28 (n/k = 3 for 3-replication).
Secure DSSs | E. Rosnes 10 / 45
Distributed storage systems (DSSs) Security References
Distributed storage using erasure correcting codes
Example: (9, 7) maximum distance separable (MDS) code. t = 2• A piece of data is divided into k = 7 symbols, and encoded into n = 9
symbols. (We add n − k = 2 symbols of redundancy.)• 7 nodes store the plain data, 2 nodes store redundancy.• The data can be retrieved from any subset of 7 storage nodes.
• Storage overhead n/k = 1.28 (n/k = 3 for 3-replication).
Secure DSSs | E. Rosnes 10 / 45
Distributed storage systems (DSSs) Security References
Distributed storage using erasure correcting codes
Example: (9, 7) maximum distance separable (MDS) code. t = 2• A piece of data is divided into k = 7 symbols, and encoded into n = 9
symbols. (We add n − k = 2 symbols of redundancy.)• 7 nodes store the plain data, 2 nodes store redundancy.• The data can be retrieved from any subset of 7 storage nodes.
• Storage overhead n/k = 1.28 (n/k = 3 for 3-replication).
Secure DSSs | E. Rosnes 10 / 45
Distributed storage systems (DSSs) Security References
Distributed storage using erasure correcting codes
Example: (9, 7) maximum distance separable (MDS) code. t = 2• A piece of data is divided into k = 7 symbols, and encoded into n = 9
symbols. (We add n − k = 2 symbols of redundancy.)• 7 nodes store the plain data, 2 nodes store redundancy.• The data can be retrieved from any subset of 7 storage nodes.
• Storage overhead n/k = 1.28 (n/k = 3 for 3-replication).
Secure DSSs | E. Rosnes 10 / 45
Distributed storage systems (DSSs) Security References
Distributed storage using erasure correcting codes
Example: (9, 7) maximum distance separable (MDS) code. t = 2• A piece of data is divided into k = 7 symbols, and encoded into n = 9
symbols. (We add n − k = 2 symbols of redundancy.)• 7 nodes store the plain data, 2 nodes store redundancy.• The data can be retrieved from any subset of 7 storage nodes.• Storage overhead n/k = 1.28 (n/k = 3 for 3-replication).
Secure DSSs | E. Rosnes 10 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
Mλ
α α
αα
hα
F
γD2D
γBS
µ
µ
Distributed storage systems come in many flavors:
• Data centers,
cloud storage networks, and P2P storage/backup systems
.
• Google File System, Facebook’s Hadoop distributed file system, andMicrosoft’s Windows Azure cloud system.
• Wireless distributed storage for content delivery.
Secure DSSs | E. Rosnes 11 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
Mλ
α α
αα
hα
F
γD2D
γBS
µ
µ
Distributed storage systems come in many flavors:• Data centers,
cloud storage networks, and P2P storage/backup systems
.
• Google File System, Facebook’s Hadoop distributed file system, andMicrosoft’s Windows Azure cloud system.
• Wireless distributed storage for content delivery.
Secure DSSs | E. Rosnes 11 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
Mλ
α α
αα
hα
F
γD2D
γBS
µ
µ
Distributed storage systems come in many flavors:• Data centers, cloud storage networks,
and P2P storage/backup systems
.
• Google File System, Facebook’s Hadoop distributed file system, andMicrosoft’s Windows Azure cloud system.
• Wireless distributed storage for content delivery.
Secure DSSs | E. Rosnes 11 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
Mλ
α α
αα
hα
F
γD2D
γBS
µ
µ
Distributed storage systems come in many flavors:• Data centers, cloud storage networks, and P2P storage/backup systems.
• Google File System, Facebook’s Hadoop distributed file system, andMicrosoft’s Windows Azure cloud system.
• Wireless distributed storage for content delivery.
Secure DSSs | E. Rosnes 11 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
Mλ
α α
αα
hα
F
γD2D
γBS
µ
µ
Distributed storage systems come in many flavors:• Data centers, cloud storage networks, and P2P storage/backup systems.• Google File System, Facebook’s Hadoop distributed file system, and
Microsoft’s Windows Azure cloud system.
• Wireless distributed storage for content delivery.
Secure DSSs | E. Rosnes 11 / 45
Distributed storage systems (DSSs) Security References
Distributed storage
Mλ
α α
αα
hα
F
γD2D
γBS
µ
µ
Distributed storage systems come in many flavors:• Data centers, cloud storage networks, and P2P storage/backup systems.• Google File System, Facebook’s Hadoop distributed file system, and
Microsoft’s Windows Azure cloud system.• Wireless distributed storage for content delivery.
Secure DSSs | E. Rosnes 11 / 45
Distributed storage systems (DSSs) Security References
Regenerating codes [1]
• Purpose: Efficient repair (in terms of repair bandwidth) of failed nodes.• Notation:
• A file of size B symbols from Fq is stored on n nodes.• The k-out-of-n property should hold.• Each node stores α symbols from Fq.• For the repair of a single node, k ≤ d ≤ n − 1 nodes are contacted.• From each of the d nodes, β symbols are downloaded.
• Then,
B ≤k−1∑i=0
min(α, (d − i)β)
[1] A. G. Dimakis, P. B. Godfrey, Y. Wu, M. J. Wainwright, and K. Ramchandran, “Network coding for distributed storage systems,” IEEE Trans. Inf.Theory, vol. 56, no. 9, pp. 4539–4551, Sep. 2010.
Secure DSSs | E. Rosnes 12 / 45
Distributed storage systems (DSSs) Security References
Regenerating codes [1]
• Purpose: Efficient repair (in terms of repair bandwidth) of failed nodes.• Notation:
• A file of size B symbols from Fq is stored on n nodes.• The k-out-of-n property should hold.• Each node stores α symbols from Fq.• For the repair of a single node, k ≤ d ≤ n − 1 nodes are contacted.• From each of the d nodes, β symbols are downloaded.
• Then,
B ≤k−1∑i=0
min(α, (d − i)β)
[1] A. G. Dimakis, P. B. Godfrey, Y. Wu, M. J. Wainwright, and K. Ramchandran, “Network coding for distributed storage systems,” IEEE Trans. Inf.Theory, vol. 56, no. 9, pp. 4539–4551, Sep. 2010.
Secure DSSs | E. Rosnes 12 / 45
Distributed storage systems (DSSs) Security References
Regenerating codes [1]
• Purpose: Efficient repair (in terms of repair bandwidth) of failed nodes.• Notation:
• A file of size B symbols from Fq is stored on n nodes.• The k-out-of-n property should hold.• Each node stores α symbols from Fq.• For the repair of a single node, k ≤ d ≤ n − 1 nodes are contacted.• From each of the d nodes, β symbols are downloaded.
• Then,
B ≤k−1∑i=0
min(α, (d − i)β)
[1] A. G. Dimakis, P. B. Godfrey, Y. Wu, M. J. Wainwright, and K. Ramchandran, “Network coding for distributed storage systems,” IEEE Trans. Inf.Theory, vol. 56, no. 9, pp. 4539–4551, Sep. 2010.
Secure DSSs | E. Rosnes 12 / 45
Distributed storage systems (DSSs) Security References
Regenerating codes [1]
• Purpose: Efficient repair (in terms of repair bandwidth) of failed nodes.• Notation:
• A file of size B symbols from Fq is stored on n nodes.• The k-out-of-n property should hold.• Each node stores α symbols from Fq.• For the repair of a single node, k ≤ d ≤ n − 1 nodes are contacted.• From each of the d nodes, β symbols are downloaded.
• Then,
B ≤k−1∑i=0
min(α, (d − i)β)
[1] A. G. Dimakis, P. B. Godfrey, Y. Wu, M. J. Wainwright, and K. Ramchandran, “Network coding for distributed storage systems,” IEEE Trans. Inf.Theory, vol. 56, no. 9, pp. 4539–4551, Sep. 2010.
Secure DSSs | E. Rosnes 12 / 45
Distributed storage systems (DSSs) Security References
Regenerating codes [1]
• Purpose: Efficient repair (in terms of repair bandwidth) of failed nodes.• Notation:
• A file of size B symbols from Fq is stored on n nodes.• The k-out-of-n property should hold.• Each node stores α symbols from Fq.• For the repair of a single node, k ≤ d ≤ n − 1 nodes are contacted.• From each of the d nodes, β symbols are downloaded.
• Then,
B ≤k−1∑i=0
min(α, (d − i)β)
[1] A. G. Dimakis, P. B. Godfrey, Y. Wu, M. J. Wainwright, and K. Ramchandran, “Network coding for distributed storage systems,” IEEE Trans. Inf.Theory, vol. 56, no. 9, pp. 4539–4551, Sep. 2010.
Secure DSSs | E. Rosnes 12 / 45
Distributed storage systems (DSSs) Security References
Regenerating codes [1]
• Purpose: Efficient repair (in terms of repair bandwidth) of failed nodes.• Notation:
• A file of size B symbols from Fq is stored on n nodes.• The k-out-of-n property should hold.• Each node stores α symbols from Fq.• For the repair of a single node, k ≤ d ≤ n − 1 nodes are contacted.• From each of the d nodes, β symbols are downloaded.
• Then,
B ≤k−1∑i=0
min(α, (d − i)β)
[1] A. G. Dimakis, P. B. Godfrey, Y. Wu, M. J. Wainwright, and K. Ramchandran, “Network coding for distributed storage systems,” IEEE Trans. Inf.Theory, vol. 56, no. 9, pp. 4539–4551, Sep. 2010.
Secure DSSs | E. Rosnes 12 / 45
Distributed storage systems (DSSs) Security References
Regenerating codes [1]
• Purpose: Efficient repair (in terms of repair bandwidth) of failed nodes.• Notation:
• A file of size B symbols from Fq is stored on n nodes.• The k-out-of-n property should hold.• Each node stores α symbols from Fq.• For the repair of a single node, k ≤ d ≤ n − 1 nodes are contacted.• From each of the d nodes, β symbols are downloaded.
• Then,
B ≤k−1∑i=0
min(α, (d − i)β)
[1] A. G. Dimakis, P. B. Godfrey, Y. Wu, M. J. Wainwright, and K. Ramchandran, “Network coding for distributed storage systems,” IEEE Trans. Inf.Theory, vol. 56, no. 9, pp. 4539–4551, Sep. 2010.
Secure DSSs | E. Rosnes 12 / 45
Distributed storage systems (DSSs) Security References
Tradeoff curves• We get (l = 0, . . . , k − 1)
γ , dβ = Bk − 1
2d (k(k − 1) + (l + 1)l), α = γ − γl/d
0.14 0.16 0.18 0.2 0.22 0.24 0.26 0.280.1
0.11
0.12
0.13
0.14
0.15
0.16
γ
α
• n = 15, k = 10, and d = n − 1.Secure DSSs | E. Rosnes 13 / 45
Distributed storage systems (DSSs) Security References
The boundary points• There are two boundary points:
• The minimal storage regeneration (MSR) point:
α = Bk and dβ = α+ (k − 1)β.
• The minimal bandwidth regeneration (MBR) point:
α = Bk + (k − 1)β
2 and dβ = α.
• Functional repair: The regenerated data is not the same as that lost, butprovides equivalent redundancy.
• Exact repair: The regenerated data is bitwise identical to what was lost(more practical).
Secure DSSs | E. Rosnes 14 / 45
Distributed storage systems (DSSs) Security References
The boundary points• There are two boundary points:
• The minimal storage regeneration (MSR) point:
α = Bk and dβ = α+ (k − 1)β.
• The minimal bandwidth regeneration (MBR) point:
α = Bk + (k − 1)β
2 and dβ = α.
• Functional repair: The regenerated data is not the same as that lost, butprovides equivalent redundancy.
• Exact repair: The regenerated data is bitwise identical to what was lost(more practical).
Secure DSSs | E. Rosnes 14 / 45
Distributed storage systems (DSSs) Security References
The boundary points• There are two boundary points:
• The minimal storage regeneration (MSR) point:
α = Bk and dβ = α+ (k − 1)β.
• The minimal bandwidth regeneration (MBR) point:
α = Bk + (k − 1)β
2 and dβ = α.
• Functional repair: The regenerated data is not the same as that lost, butprovides equivalent redundancy.
• Exact repair: The regenerated data is bitwise identical to what was lost(more practical).
Secure DSSs | E. Rosnes 14 / 45
Distributed storage systems (DSSs) Security References
The boundary points• There are two boundary points:
• The minimal storage regeneration (MSR) point:
α = Bk and dβ = α+ (k − 1)β.
• The minimal bandwidth regeneration (MBR) point:
α = Bk + (k − 1)β
2 and dβ = α.
• Functional repair: The regenerated data is not the same as that lost, butprovides equivalent redundancy.
• Exact repair: The regenerated data is bitwise identical to what was lost(more practical).
Secure DSSs | E. Rosnes 14 / 45
Distributed storage systems (DSSs) Security References
What about security?
TypesTwo ways to look at it:
• Security against passive attacks.• Security against active attacks.
Solution• Cryptographic approach:
Easy to implement.Complex key management.
• Information-theoretic approach.
Secure DSSs | E. Rosnes 15 / 45
Distributed storage systems (DSSs) Security References
What about security?
TypesTwo ways to look at it:
• Security against passive attacks.• Security against active attacks.
Solution• Cryptographic approach:
Easy to implement.Complex key management.
• Information-theoretic approach.
Secure DSSs | E. Rosnes 15 / 45
Distributed storage systems (DSSs) Security References
What about security?
TypesTwo ways to look at it:
• Security against passive attacks.• Security against active attacks.
Solution• Cryptographic approach:
Easy to implement.Complex key management.
• Information-theoretic approach.
Secure DSSs | E. Rosnes 15 / 45
Distributed storage systems (DSSs) Security References
What about security?
TypesTwo ways to look at it:
• Security against passive attacks.• Security against active attacks.
Solution• Cryptographic approach:
Easy to implement.Complex key management.
• Information-theoretic approach.
Secure DSSs | E. Rosnes 15 / 45
Distributed storage systems (DSSs) Security References
Security against passive attacks: An intuition
m1 m2 m1 + m2 m1 + 2m2m1 + r r m1 + 2r m1 + 3r
Objective (strong secrecy)To achieve I (m; e) = 0.
The main principle is to append random data to the file. This achieves securityat the expense of a higher storage overhead!!!
Secure DSSs | E. Rosnes 16 / 45
Distributed storage systems (DSSs) Security References
Security against passive attacks: An intuition
m1 m2 m1 + m2 m1 + 2m2
m1 + r r m1 + 2r m1 + 3r
Objective (strong secrecy)To achieve I (m; e) = 0.
The main principle is to append random data to the file. This achieves securityat the expense of a higher storage overhead!!!
Secure DSSs | E. Rosnes 16 / 45
Distributed storage systems (DSSs) Security References
Security against passive attacks: An intuition
m1 m2 m1 + m2 m1 + 2m2
m1 + r r m1 + 2r m1 + 3r
Objective (strong secrecy)To achieve I (m; e) = 0.
The main principle is to append random data to the file. This achieves securityat the expense of a higher storage overhead!!!
Secure DSSs | E. Rosnes 16 / 45
Distributed storage systems (DSSs) Security References
Security against passive attacks: An intuition
m1 m2 m1 + m2 m1 + 2m2
m1 + r r m1 + 2r m1 + 3r
Objective (strong secrecy)To achieve I (m; e) = 0.
The main principle is to append random data to the file. This achieves securityat the expense of a higher storage overhead!!!
Secure DSSs | E. Rosnes 16 / 45
Distributed storage systems (DSSs) Security References
Security against passive attacks: An intuition
m1 m2 m1 + m2 m1 + 2m2
m1 + r r m1 + 2r m1 + 3r
Objective (strong secrecy)To achieve I (m; e) = 0.
The main principle is to append random data to the file. This achieves securityat the expense of a higher storage overhead!!!
Secure DSSs | E. Rosnes 16 / 45
Distributed storage systems (DSSs) Security References
Security against passive attacks: An intuition
m1 m2 m1 + m2 m1 + 2m2
m1 + r r m1 + 2r m1 + 3r
Objective (strong secrecy)To achieve I (m; e) = 0.
The main principle is to append random data to the file. This achieves securityat the expense of a higher storage overhead!!!
Secure DSSs | E. Rosnes 16 / 45
Distributed storage systems (DSSs) Security References
Security against passive attacks: An intuition
m1 m2 m1 + m2 m1 + 2m2
m1 + r r m1 + 2r m1 + 3r
Objective (strong secrecy)To achieve I (m; e) = 0.
The main principle is to append random data to the file. This achieves securityat the expense of a higher storage overhead!!!
Secure DSSs | E. Rosnes 16 / 45
Distributed storage systems (DSSs) Security References
Security models
• Assume there is an intruder in the DSS.• Its power is given by two parameters ` and b [2]:
• `: number of nodes the intruder can eavesdrop on.• b: number of nodes it can control by maliciously corrupting their data.
• The intruder can be:• A passive eavesdropper “Eve” (b = 0 and ` < k).• An active omniscient adversary “Calvin”.• An active limited-knowledge adversary “Charlie”.
• The data collector and the intruder have complete knowledge of thestorage and the repair scheme.
[2] S. Pawar, S. El Rouayheb, and K. Ramchandran, “Securing dynamic distributed storage systems against eavesdropping and adversarial attacks,”IEEE Trans. Inf. Theory, vol. 57, no. 10, pp. 6743–6753, Oct. 2011.
Secure DSSs | E. Rosnes 17 / 45
Distributed storage systems (DSSs) Security References
Security models
• Assume there is an intruder in the DSS.• Its power is given by two parameters ` and b [2]:
• `: number of nodes the intruder can eavesdrop on.• b: number of nodes it can control by maliciously corrupting their data.
• The intruder can be:• A passive eavesdropper “Eve” (b = 0 and ` < k).• An active omniscient adversary “Calvin”.• An active limited-knowledge adversary “Charlie”.
• The data collector and the intruder have complete knowledge of thestorage and the repair scheme.
[2] S. Pawar, S. El Rouayheb, and K. Ramchandran, “Securing dynamic distributed storage systems against eavesdropping and adversarial attacks,”IEEE Trans. Inf. Theory, vol. 57, no. 10, pp. 6743–6753, Oct. 2011.
Secure DSSs | E. Rosnes 17 / 45
Distributed storage systems (DSSs) Security References
Security models
• Assume there is an intruder in the DSS.• Its power is given by two parameters ` and b [2]:
• `: number of nodes the intruder can eavesdrop on.• b: number of nodes it can control by maliciously corrupting their data.
• The intruder can be:• A passive eavesdropper “Eve” (b = 0 and ` < k).• An active omniscient adversary “Calvin”.• An active limited-knowledge adversary “Charlie”.
• The data collector and the intruder have complete knowledge of thestorage and the repair scheme.
[2] S. Pawar, S. El Rouayheb, and K. Ramchandran, “Securing dynamic distributed storage systems against eavesdropping and adversarial attacks,”IEEE Trans. Inf. Theory, vol. 57, no. 10, pp. 6743–6753, Oct. 2011.
Secure DSSs | E. Rosnes 17 / 45
Distributed storage systems (DSSs) Security References
Security models
• Assume there is an intruder in the DSS.• Its power is given by two parameters ` and b [2]:
• `: number of nodes the intruder can eavesdrop on.• b: number of nodes it can control by maliciously corrupting their data.
• The intruder can be:• A passive eavesdropper “Eve” (b = 0 and ` < k).• An active omniscient adversary “Calvin”.• An active limited-knowledge adversary “Charlie”.
• The data collector and the intruder have complete knowledge of thestorage and the repair scheme.
[2] S. Pawar, S. El Rouayheb, and K. Ramchandran, “Securing dynamic distributed storage systems against eavesdropping and adversarial attacks,”IEEE Trans. Inf. Theory, vol. 57, no. 10, pp. 6743–6753, Oct. 2011.
Secure DSSs | E. Rosnes 17 / 45
Distributed storage systems (DSSs) Security References
Generalized passive eavesdropper model(`1, `2) passive eavesdropper model [3]
• Eavesdropper observes the symbols stored on `1 nodes.• Eavesdropper observes the symbols downloaded during the repair of `2
additional nodes.
c1 c2 c3 c4
c1 c2 c4
m1 m2 m3 m4
m1
c5 c6
[3] N. B. Shah, K. V. Rashmi, and P. V. Kumar, “Information-theoretically secure regenerating codes for distributed storage,” in Proc. GlobalTelecommun. Conf. (GLOBECOM), Houston, TX, Dec. 2011.
Secure DSSs | E. Rosnes 18 / 45
Distributed storage systems (DSSs) Security References
Generalized passive eavesdropper model(`1, `2) passive eavesdropper model [3]
• Eavesdropper observes the symbols stored on `1 nodes.• Eavesdropper observes the symbols downloaded during the repair of `2
additional nodes.
c1 c2 c3 c4
c1 c2 c4
m1 m2 m3 m4
m1
c5 c6
[3] N. B. Shah, K. V. Rashmi, and P. V. Kumar, “Information-theoretically secure regenerating codes for distributed storage,” in Proc. GlobalTelecommun. Conf. (GLOBECOM), Houston, TX, Dec. 2011.
Secure DSSs | E. Rosnes 18 / 45
Distributed storage systems (DSSs) Security References
Generalized passive eavesdropper model(`1, `2) passive eavesdropper model [3]
• Eavesdropper observes the symbols stored on `1 nodes.• Eavesdropper observes the symbols downloaded during the repair of `2
additional nodes.
c1 c2 c3 c4c1
c2 c4
m1 m2 m3 m4
m1
c5 c6
[3] N. B. Shah, K. V. Rashmi, and P. V. Kumar, “Information-theoretically secure regenerating codes for distributed storage,” in Proc. GlobalTelecommun. Conf. (GLOBECOM), Houston, TX, Dec. 2011.
Secure DSSs | E. Rosnes 18 / 45
Distributed storage systems (DSSs) Security References
Generalized passive eavesdropper model(`1, `2) passive eavesdropper model [3]
• Eavesdropper observes the symbols stored on `1 nodes.• Eavesdropper observes the symbols downloaded during the repair of `2
additional nodes.
c1 c2 c3 c4c1
c2 c4
m1 m2 m3 m4m1
c5 c6
[3] N. B. Shah, K. V. Rashmi, and P. V. Kumar, “Information-theoretically secure regenerating codes for distributed storage,” in Proc. GlobalTelecommun. Conf. (GLOBECOM), Houston, TX, Dec. 2011.
Secure DSSs | E. Rosnes 18 / 45
Distributed storage systems (DSSs) Security References
Generalized passive eavesdropper model(`1, `2) passive eavesdropper model [3]
• Eavesdropper observes the symbols stored on `1 nodes.• Eavesdropper observes the symbols downloaded during the repair of `2
additional nodes.
c1 c2 c3 c4c1 c2
c4
m1 m2 m3 m4m1
c5 c6
[3] N. B. Shah, K. V. Rashmi, and P. V. Kumar, “Information-theoretically secure regenerating codes for distributed storage,” in Proc. GlobalTelecommun. Conf. (GLOBECOM), Houston, TX, Dec. 2011.
Secure DSSs | E. Rosnes 18 / 45
Distributed storage systems (DSSs) Security References
Generalized passive eavesdropper model(`1, `2) passive eavesdropper model [3]
• Eavesdropper observes the symbols stored on `1 nodes.• Eavesdropper observes the symbols downloaded during the repair of `2
additional nodes.
c1 c2 c3 c4c1 c2 c4
m1 m2m2 m3 m4m4m1
c5c5 c6
[3] N. B. Shah, K. V. Rashmi, and P. V. Kumar, “Information-theoretically secure regenerating codes for distributed storage,” in Proc. GlobalTelecommun. Conf. (GLOBECOM), Houston, TX, Dec. 2011.
Secure DSSs | E. Rosnes 18 / 45
Distributed storage systems (DSSs) Security References
Tradeoff curve• Under the (`1, `2) passive eavesdropper model [2]
Bs ≤k−1∑
i=`1+`2
min(α, (d − i)β).
• Intuition:• Assume the first `1 + `2 of the k nodes used for reconstruction are
compromised.• The data stored in these `1 + `2 nodes should provide zero information
about the message, and only the remaining k − (`1 + `2) nodes provideuseful information to the data-collector.
• MBR point: The upper bound is known to be tight under exact repair [3].• MSR point: A tight bound under exact repair is still open for `2 > 0 [4, 5].
[4] K. Huang, U. Parampalli, and M. Xian, “On secrecy capacity of minimum storage regenerating codes,” IEEE Trans. Inf. Theory, vol. 63, no. 2,pp. 1510–1524, Mar. 2017.[5] R. Tandon, S. Amuru, T. C. Clancy, and R. M. Buehrer, “Towards optimal secure distributed storage systems with exact repair,” IEEE Trans. Inf.Theory, vol. 60, no. 6, pp. 3477–3492, Jun. 2016.
Secure DSSs | E. Rosnes 19 / 45
Distributed storage systems (DSSs) Security References
Tradeoff curve• Under the (`1, `2) passive eavesdropper model [2]
Bs ≤k−1∑
i=`1+`2
min(α, (d − i)β).
• Intuition:• Assume the first `1 + `2 of the k nodes used for reconstruction are
compromised.• The data stored in these `1 + `2 nodes should provide zero information
about the message, and only the remaining k − (`1 + `2) nodes provideuseful information to the data-collector.
• MBR point: The upper bound is known to be tight under exact repair [3].• MSR point: A tight bound under exact repair is still open for `2 > 0 [4, 5].
[4] K. Huang, U. Parampalli, and M. Xian, “On secrecy capacity of minimum storage regenerating codes,” IEEE Trans. Inf. Theory, vol. 63, no. 2,pp. 1510–1524, Mar. 2017.[5] R. Tandon, S. Amuru, T. C. Clancy, and R. M. Buehrer, “Towards optimal secure distributed storage systems with exact repair,” IEEE Trans. Inf.Theory, vol. 60, no. 6, pp. 3477–3492, Jun. 2016.
Secure DSSs | E. Rosnes 19 / 45
Distributed storage systems (DSSs) Security References
Tradeoff curve• Under the (`1, `2) passive eavesdropper model [2]
Bs ≤k−1∑
i=`1+`2
min(α, (d − i)β).
• Intuition:• Assume the first `1 + `2 of the k nodes used for reconstruction are
compromised.• The data stored in these `1 + `2 nodes should provide zero information
about the message, and only the remaining k − (`1 + `2) nodes provideuseful information to the data-collector.
• MBR point: The upper bound is known to be tight under exact repair [3].• MSR point: A tight bound under exact repair is still open for `2 > 0 [4, 5].
[4] K. Huang, U. Parampalli, and M. Xian, “On secrecy capacity of minimum storage regenerating codes,” IEEE Trans. Inf. Theory, vol. 63, no. 2,pp. 1510–1524, Mar. 2017.[5] R. Tandon, S. Amuru, T. C. Clancy, and R. M. Buehrer, “Towards optimal secure distributed storage systems with exact repair,” IEEE Trans. Inf.Theory, vol. 60, no. 6, pp. 3477–3492, Jun. 2016.
Secure DSSs | E. Rosnes 19 / 45
Distributed storage systems (DSSs) Security References
Tradeoff curve• Under the (`1, `2) passive eavesdropper model [2]
Bs ≤k−1∑
i=`1+`2
min(α, (d − i)β).
• Intuition:• Assume the first `1 + `2 of the k nodes used for reconstruction are
compromised.• The data stored in these `1 + `2 nodes should provide zero information
about the message, and only the remaining k − (`1 + `2) nodes provideuseful information to the data-collector.
• MBR point: The upper bound is known to be tight under exact repair [3].• MSR point: A tight bound under exact repair is still open for `2 > 0 [4, 5].
[4] K. Huang, U. Parampalli, and M. Xian, “On secrecy capacity of minimum storage regenerating codes,” IEEE Trans. Inf. Theory, vol. 63, no. 2,pp. 1510–1524, Mar. 2017.[5] R. Tandon, S. Amuru, T. C. Clancy, and R. M. Buehrer, “Towards optimal secure distributed storage systems with exact repair,” IEEE Trans. Inf.Theory, vol. 60, no. 6, pp. 3477–3492, Jun. 2016.
Secure DSSs | E. Rosnes 19 / 45
Distributed storage systems (DSSs) Security References
Tradeoff curve• Under the (`1, `2) passive eavesdropper model [2]
Bs ≤k−1∑
i=`1+`2
min(α, (d − i)β).
• Intuition:• Assume the first `1 + `2 of the k nodes used for reconstruction are
compromised.• The data stored in these `1 + `2 nodes should provide zero information
about the message, and only the remaining k − (`1 + `2) nodes provideuseful information to the data-collector.
• MBR point: The upper bound is known to be tight under exact repair [3].• MSR point: A tight bound under exact repair is still open for `2 > 0 [4, 5].
[4] K. Huang, U. Parampalli, and M. Xian, “On secrecy capacity of minimum storage regenerating codes,” IEEE Trans. Inf. Theory, vol. 63, no. 2,pp. 1510–1524, Mar. 2017.[5] R. Tandon, S. Amuru, T. C. Clancy, and R. M. Buehrer, “Towards optimal secure distributed storage systems with exact repair,” IEEE Trans. Inf.Theory, vol. 60, no. 6, pp. 3477–3492, Jun. 2016.
Secure DSSs | E. Rosnes 19 / 45
Distributed storage systems (DSSs) Security References
Tradeoff curve• We get (l = `, . . . , k − 1 where ` = `1 + `2)
γ , dβ = Bs
k − `− 12d (k(k − 1) + (l − 2`+ 1)l)
, α = γ − γl/d
0.1 0.12 0.14 0.16 0.18 0.2 0.22 0.24 0.26 0.28 0.3 0.32 0.340.1
0.11
0.12
0.13
0.14
0.15
0.16
0.17
0.18
γ
α
` = 0
• n = 15, k = 10, and d = n − 1.Secure DSSs | E. Rosnes 20 / 45
Distributed storage systems (DSSs) Security References
Tradeoff curve• We get (l = `, . . . , k − 1 where ` = `1 + `2)
γ , dβ = Bs
k − `− 12d (k(k − 1) + (l − 2`+ 1)l)
, α = γ − γl/d
0.1 0.12 0.14 0.16 0.18 0.2 0.22 0.24 0.26 0.28 0.3 0.32 0.340.1
0.11
0.12
0.13
0.14
0.15
0.16
0.17
0.18
γ
α
` = 0` = 1
• n = 15, k = 10, and d = n − 1.Secure DSSs | E. Rosnes 20 / 45
Distributed storage systems (DSSs) Security References
Tradeoff curve• We get (l = `, . . . , k − 1 where ` = `1 + `2)
γ , dβ = Bs
k − `− 12d (k(k − 1) + (l − 2`+ 1)l)
, α = γ − γl/d
0.1 0.12 0.14 0.16 0.18 0.2 0.22 0.24 0.26 0.28 0.3 0.32 0.340.1
0.11
0.12
0.13
0.14
0.15
0.16
0.17
0.18
γ
α
` = 0` = 1` = 2
• n = 15, k = 10, and d = n − 1.Secure DSSs | E. Rosnes 20 / 45
Distributed storage systems (DSSs) Security References
Shamir’s secret sharing scheme [6]
• A random polynomial of degree k − 1 in which the constant coefficient isequal to the secret is selected.
• The polynomial is evaluated at n points (the n shares)• Properties:
• The secret can be recovered from any k shares,• while ≤ k − 1 shares provide zero information about the secret.
• Repair: k shares are need for polynomial interpolation.• The repair operations are inefficient!!!
[6] A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612–613, 1979.
Secure DSSs | E. Rosnes 21 / 45
Distributed storage systems (DSSs) Security References
Shamir’s secret sharing scheme [6]
• A random polynomial of degree k − 1 in which the constant coefficient isequal to the secret is selected.
• The polynomial is evaluated at n points (the n shares)• Properties:
• The secret can be recovered from any k shares,• while ≤ k − 1 shares provide zero information about the secret.
• Repair: k shares are need for polynomial interpolation.• The repair operations are inefficient!!!
[6] A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612–613, 1979.
Secure DSSs | E. Rosnes 21 / 45
Distributed storage systems (DSSs) Security References
Shamir’s secret sharing scheme [6]
• A random polynomial of degree k − 1 in which the constant coefficient isequal to the secret is selected.
• The polynomial is evaluated at n points (the n shares)• Properties:
• The secret can be recovered from any k shares,• while ≤ k − 1 shares provide zero information about the secret.
• Repair: k shares are need for polynomial interpolation.• The repair operations are inefficient!!!
[6] A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612–613, 1979.
Secure DSSs | E. Rosnes 21 / 45
Distributed storage systems (DSSs) Security References
Shamir’s secret sharing scheme [6]
• A random polynomial of degree k − 1 in which the constant coefficient isequal to the secret is selected.
• The polynomial is evaluated at n points (the n shares)• Properties:
• The secret can be recovered from any k shares,• while ≤ k − 1 shares provide zero information about the secret.
• Repair: k shares are need for polynomial interpolation.• The repair operations are inefficient!!!
[6] A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612–613, 1979.
Secure DSSs | E. Rosnes 21 / 45
Distributed storage systems (DSSs) Security References
Shamir’s secret sharing scheme [6]
• A random polynomial of degree k − 1 in which the constant coefficient isequal to the secret is selected.
• The polynomial is evaluated at n points (the n shares)• Properties:
• The secret can be recovered from any k shares,• while ≤ k − 1 shares provide zero information about the secret.
• Repair: k shares are need for polynomial interpolation.• The repair operations are inefficient!!!
[6] A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612–613, 1979.
Secure DSSs | E. Rosnes 21 / 45
Distributed storage systems (DSSs) Security References
Shamir’s secret sharing scheme [6]
• A random polynomial of degree k − 1 in which the constant coefficient isequal to the secret is selected.
• The polynomial is evaluated at n points (the n shares)• Properties:
• The secret can be recovered from any k shares,• while ≤ k − 1 shares provide zero information about the secret.
• Repair: k shares are need for polynomial interpolation.• The repair operations are inefficient!!!
[6] A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612–613, 1979.
Secure DSSs | E. Rosnes 21 / 45
Distributed storage systems (DSSs) Security References
Active omniscient adversary
• The active adversary Calvin knows the data stored on all the nodes (andthus the file).
• Moreover, Calvin controls b nodes in total, where 2b < k.• Calvin can maliciously alter the data stored on the nodes under his control.• He can also send erroneous outgoing messages when contacted for repair
or reconstruction.
What is the maximum file size such that the data collector can reliable retrievethe file?
Secure DSSs | E. Rosnes 22 / 45
Distributed storage systems (DSSs) Security References
Active omniscient adversary
• The active adversary Calvin knows the data stored on all the nodes (andthus the file).
• Moreover, Calvin controls b nodes in total, where 2b < k.• Calvin can maliciously alter the data stored on the nodes under his control.• He can also send erroneous outgoing messages when contacted for repair
or reconstruction.
What is the maximum file size such that the data collector can reliable retrievethe file?
Secure DSSs | E. Rosnes 22 / 45
Distributed storage systems (DSSs) Security References
Active omniscient adversary
• The active adversary Calvin knows the data stored on all the nodes (andthus the file).
• Moreover, Calvin controls b nodes in total, where 2b < k.• Calvin can maliciously alter the data stored on the nodes under his control.• He can also send erroneous outgoing messages when contacted for repair
or reconstruction.
What is the maximum file size such that the data collector can reliable retrievethe file?
Secure DSSs | E. Rosnes 22 / 45
Distributed storage systems (DSSs) Security References
Active omniscient adversary
• The active adversary Calvin knows the data stored on all the nodes (andthus the file).
• Moreover, Calvin controls b nodes in total, where 2b < k.• Calvin can maliciously alter the data stored on the nodes under his control.• He can also send erroneous outgoing messages when contacted for repair
or reconstruction.
What is the maximum file size such that the data collector can reliable retrievethe file?
Secure DSSs | E. Rosnes 22 / 45
Distributed storage systems (DSSs) Security References
Active omniscient adversary
• The active adversary Calvin knows the data stored on all the nodes (andthus the file).
• Moreover, Calvin controls b nodes in total, where 2b < k.• Calvin can maliciously alter the data stored on the nodes under his control.• He can also send erroneous outgoing messages when contacted for repair
or reconstruction.
What is the maximum file size such that the data collector can reliable retrievethe file?
Secure DSSs | E. Rosnes 22 / 45
Distributed storage systems (DSSs) Security References
Active limited-knowledge adversary
• The active adversary Charlie is not omniscient, but has limited knowledgeabout the data stored in the system.
• In particular, he has a limited eavesdropping capability `.• In addition, Charlie controls b chosen nodes and maliciously corrupts their
data.• We assume that b ≤ ` and that these b nodes are a subset of the `
eavesdropped nodes.
What is the maximum file size such that the data collector can reliable retrievethe file?
Secure DSSs | E. Rosnes 23 / 45
Distributed storage systems (DSSs) Security References
Active limited-knowledge adversary
• The active adversary Charlie is not omniscient, but has limited knowledgeabout the data stored in the system.
• In particular, he has a limited eavesdropping capability `.• In addition, Charlie controls b chosen nodes and maliciously corrupts their
data.• We assume that b ≤ ` and that these b nodes are a subset of the `
eavesdropped nodes.
What is the maximum file size such that the data collector can reliable retrievethe file?
Secure DSSs | E. Rosnes 23 / 45
Distributed storage systems (DSSs) Security References
Active limited-knowledge adversary
• The active adversary Charlie is not omniscient, but has limited knowledgeabout the data stored in the system.
• In particular, he has a limited eavesdropping capability `.• In addition, Charlie controls b chosen nodes and maliciously corrupts their
data.• We assume that b ≤ ` and that these b nodes are a subset of the `
eavesdropped nodes.
What is the maximum file size such that the data collector can reliable retrievethe file?
Secure DSSs | E. Rosnes 23 / 45
Distributed storage systems (DSSs) Security References
Active limited-knowledge adversary
• The active adversary Charlie is not omniscient, but has limited knowledgeabout the data stored in the system.
• In particular, he has a limited eavesdropping capability `.• In addition, Charlie controls b chosen nodes and maliciously corrupts their
data.• We assume that b ≤ ` and that these b nodes are a subset of the `
eavesdropped nodes.
What is the maximum file size such that the data collector can reliable retrievethe file?
Secure DSSs | E. Rosnes 23 / 45
Distributed storage systems (DSSs) Security References
Active limited-knowledge adversary
• The active adversary Charlie is not omniscient, but has limited knowledgeabout the data stored in the system.
• In particular, he has a limited eavesdropping capability `.• In addition, Charlie controls b chosen nodes and maliciously corrupts their
data.• We assume that b ≤ ` and that these b nodes are a subset of the `
eavesdropped nodes.
What is the maximum file size such that the data collector can reliable retrievethe file?
Secure DSSs | E. Rosnes 23 / 45
Distributed storage systems (DSSs) Security References
Upper bounds on the resiliency capacity [2]• For an active omniscient adversary (` = k, 2b < k)
Cr ≤k−1∑i=2b
min (α, (d − i)β) .
• For an active limited-knowledge adversary (`, b ≤ `)
Cr ≤k−1∑i=b
min (α, (d − i)β) .
• It is known that the upper bounds are tight in the so-calledbandwidth-limited regime [2].
• Explicit code constructions for this regime were given in [7] usingPM-MBR codes [8] and a correlation hashing scheme.
[7] R. Bitar and S. El Rouayheb, “Securing data against limited-knowledge adversaries in distributed storage systems,” in Proc. IEEE Int. Symp. Inf.Theory (ISIT), Hong Kong, China, Jun. 2015, pp. 2857–2851.[8] K. V. Rashmi, N. B. Shah, and P. V. Kumar, “Optimal exact-regenerating codes for distributed storage at the MSR and MBR points via aproduct-matrix construction,” IEEE Trans. Inf. Theory, vol. 57, no. 8, pp. 5227–5239, Aug. 2011.
Secure DSSs | E. Rosnes 24 / 45
Distributed storage systems (DSSs) Security References
Upper bounds on the resiliency capacity [2]• For an active omniscient adversary (` = k, 2b < k)
Cr ≤k−1∑i=2b
min (α, (d − i)β) .
• For an active limited-knowledge adversary (`, b ≤ `)
Cr ≤k−1∑i=b
min (α, (d − i)β) .
• It is known that the upper bounds are tight in the so-calledbandwidth-limited regime [2].
• Explicit code constructions for this regime were given in [7] usingPM-MBR codes [8] and a correlation hashing scheme.
[7] R. Bitar and S. El Rouayheb, “Securing data against limited-knowledge adversaries in distributed storage systems,” in Proc. IEEE Int. Symp. Inf.Theory (ISIT), Hong Kong, China, Jun. 2015, pp. 2857–2851.[8] K. V. Rashmi, N. B. Shah, and P. V. Kumar, “Optimal exact-regenerating codes for distributed storage at the MSR and MBR points via aproduct-matrix construction,” IEEE Trans. Inf. Theory, vol. 57, no. 8, pp. 5227–5239, Aug. 2011.
Secure DSSs | E. Rosnes 24 / 45
Distributed storage systems (DSSs) Security References
Upper bounds on the resiliency capacity [2]• For an active omniscient adversary (` = k, 2b < k)
Cr ≤k−1∑i=2b
min (α, (d − i)β) .
• For an active limited-knowledge adversary (`, b ≤ `)
Cr ≤k−1∑i=b
min (α, (d − i)β) .
• It is known that the upper bounds are tight in the so-calledbandwidth-limited regime [2].
• Explicit code constructions for this regime were given in [7] usingPM-MBR codes [8] and a correlation hashing scheme.
[7] R. Bitar and S. El Rouayheb, “Securing data against limited-knowledge adversaries in distributed storage systems,” in Proc. IEEE Int. Symp. Inf.Theory (ISIT), Hong Kong, China, Jun. 2015, pp. 2857–2851.[8] K. V. Rashmi, N. B. Shah, and P. V. Kumar, “Optimal exact-regenerating codes for distributed storage at the MSR and MBR points via aproduct-matrix construction,” IEEE Trans. Inf. Theory, vol. 57, no. 8, pp. 5227–5239, Aug. 2011.
Secure DSSs | E. Rosnes 24 / 45
Distributed storage systems (DSSs) Security References
Upper bounds on the resiliency capacity [2]• For an active omniscient adversary (` = k, 2b < k)
Cr ≤k−1∑i=2b
min (α, (d − i)β) .
• For an active limited-knowledge adversary (`, b ≤ `)
Cr ≤k−1∑i=b
min (α, (d − i)β) .
• It is known that the upper bounds are tight in the so-calledbandwidth-limited regime [2].
• Explicit code constructions for this regime were given in [7] usingPM-MBR codes [8] and a correlation hashing scheme.
[7] R. Bitar and S. El Rouayheb, “Securing data against limited-knowledge adversaries in distributed storage systems,” in Proc. IEEE Int. Symp. Inf.Theory (ISIT), Hong Kong, China, Jun. 2015, pp. 2857–2851.[8] K. V. Rashmi, N. B. Shah, and P. V. Kumar, “Optimal exact-regenerating codes for distributed storage at the MSR and MBR points via aproduct-matrix construction,” IEEE Trans. Inf. Theory, vol. 57, no. 8, pp. 5227–5239, Aug. 2011.
Secure DSSs | E. Rosnes 24 / 45
Distributed storage systems (DSSs) Security References
Secure codes in the literature
• Secure MBR codes (Pawar et al. [2]).• Secure PM-MBR and PM-MSR codes (Shah et al. [3]).
• MBR: The secure file size achieves the upper bound for all (n, k, d) for all(`1, `2).
• MSR: The upper bound is only achieved for `2 = 0 and can be tightened[9, 10].
• Secure MSR codes and secure LRCs (Rawat et al. [9]).
[9] A. S. Rawat, O. O. Koyluoglu, N. Silberstein, and S. Vishwanath, “Optimal locally repairable and secure codes for distributed storage systems,“IEEE Trans. Inf. Theory, vol. 60, no. 1, pp. 212–236, Jan. 2014.[10] S. Goparaju, S. El Rouayheb, R. Calderbank, and H. Vincent Poor, “Data secrecy in distributed storage systems under exact repair,” in Proc. Int.Symp. Netw. Coding (NetCod), Calgary, Alberta, Canada, Jun. 2013.
Secure DSSs | E. Rosnes 25 / 45
Distributed storage systems (DSSs) Security References
Secure codes in the literature
• Secure MBR codes (Pawar et al. [2]).• Secure PM-MBR and PM-MSR codes (Shah et al. [3]).
• MBR: The secure file size achieves the upper bound for all (n, k, d) for all(`1, `2).
• MSR: The upper bound is only achieved for `2 = 0 and can be tightened[9, 10].
• Secure MSR codes and secure LRCs (Rawat et al. [9]).
[9] A. S. Rawat, O. O. Koyluoglu, N. Silberstein, and S. Vishwanath, “Optimal locally repairable and secure codes for distributed storage systems,“IEEE Trans. Inf. Theory, vol. 60, no. 1, pp. 212–236, Jan. 2014.[10] S. Goparaju, S. El Rouayheb, R. Calderbank, and H. Vincent Poor, “Data secrecy in distributed storage systems under exact repair,” in Proc. Int.Symp. Netw. Coding (NetCod), Calgary, Alberta, Canada, Jun. 2013.
Secure DSSs | E. Rosnes 25 / 45
Distributed storage systems (DSSs) Security References
Secure codes in the literature
• Secure MBR codes (Pawar et al. [2]).• Secure PM-MBR and PM-MSR codes (Shah et al. [3]).
• MBR: The secure file size achieves the upper bound for all (n, k, d) for all(`1, `2).
• MSR: The upper bound is only achieved for `2 = 0 and can be tightened[9, 10].
• Secure MSR codes and secure LRCs (Rawat et al. [9]).
[9] A. S. Rawat, O. O. Koyluoglu, N. Silberstein, and S. Vishwanath, “Optimal locally repairable and secure codes for distributed storage systems,“IEEE Trans. Inf. Theory, vol. 60, no. 1, pp. 212–236, Jan. 2014.[10] S. Goparaju, S. El Rouayheb, R. Calderbank, and H. Vincent Poor, “Data secrecy in distributed storage systems under exact repair,” in Proc. Int.Symp. Netw. Coding (NetCod), Calgary, Alberta, Canada, Jun. 2013.
Secure DSSs | E. Rosnes 25 / 45
Distributed storage systems (DSSs) Security References
Secure codes in the literature
• Secure MBR codes (Pawar et al. [2]).• Secure PM-MBR and PM-MSR codes (Shah et al. [3]).
• MBR: The secure file size achieves the upper bound for all (n, k, d) for all(`1, `2).
• MSR: The upper bound is only achieved for `2 = 0 and can be tightened[9, 10].
• Secure MSR codes and secure LRCs (Rawat et al. [9]).
[9] A. S. Rawat, O. O. Koyluoglu, N. Silberstein, and S. Vishwanath, “Optimal locally repairable and secure codes for distributed storage systems,“IEEE Trans. Inf. Theory, vol. 60, no. 1, pp. 212–236, Jan. 2014.[10] S. Goparaju, S. El Rouayheb, R. Calderbank, and H. Vincent Poor, “Data secrecy in distributed storage systems under exact repair,” in Proc. Int.Symp. Netw. Coding (NetCod), Calgary, Alberta, Canada, Jun. 2013.
Secure DSSs | E. Rosnes 25 / 45
Distributed storage systems (DSSs) Security References
The approach of [3]
• To construct a secure code for a given (n, k, d), a PM-MBR code with thesame parameters are selected.
• Replace a specific, carefully chosen set of B − Bs message symbols withrandom symbols chosen uniformly and independently from Fq.
• The reconstruction process and repair in the secure code can be carriedout in the same way as in the original code.
• Security proof relies on:
H (e) ≤ H (r) and H (r |m, e) = 0 =⇒ I (m; e) = 0.
• Secure PM-MBR and PM-MSR codes are constructed in this way.
Secure DSSs | E. Rosnes 26 / 45
Distributed storage systems (DSSs) Security References
The approach of [3]
• To construct a secure code for a given (n, k, d), a PM-MBR code with thesame parameters are selected.
• Replace a specific, carefully chosen set of B − Bs message symbols withrandom symbols chosen uniformly and independently from Fq.
• The reconstruction process and repair in the secure code can be carriedout in the same way as in the original code.
• Security proof relies on:
H (e) ≤ H (r) and H (r |m, e) = 0 =⇒ I (m; e) = 0.
• Secure PM-MBR and PM-MSR codes are constructed in this way.
Secure DSSs | E. Rosnes 26 / 45
Distributed storage systems (DSSs) Security References
The approach of [3]
• To construct a secure code for a given (n, k, d), a PM-MBR code with thesame parameters are selected.
• Replace a specific, carefully chosen set of B − Bs message symbols withrandom symbols chosen uniformly and independently from Fq.
• The reconstruction process and repair in the secure code can be carriedout in the same way as in the original code.
• Security proof relies on:
H (e) ≤ H (r) and H (r |m, e) = 0 =⇒ I (m; e) = 0.
• Secure PM-MBR and PM-MSR codes are constructed in this way.
Secure DSSs | E. Rosnes 26 / 45
Distributed storage systems (DSSs) Security References
The approach of [3]
• To construct a secure code for a given (n, k, d), a PM-MBR code with thesame parameters are selected.
• Replace a specific, carefully chosen set of B − Bs message symbols withrandom symbols chosen uniformly and independently from Fq.
• The reconstruction process and repair in the secure code can be carriedout in the same way as in the original code.
• Security proof relies on:
H (e) ≤ H (r) and H (r |m, e) = 0 =⇒ I (m; e) = 0.
• Secure PM-MBR and PM-MSR codes are constructed in this way.
Secure DSSs | E. Rosnes 26 / 45
Distributed storage systems (DSSs) Security References
The approach of [3]
• To construct a secure code for a given (n, k, d), a PM-MBR code with thesame parameters are selected.
• Replace a specific, carefully chosen set of B − Bs message symbols withrandom symbols chosen uniformly and independently from Fq.
• The reconstruction process and repair in the secure code can be carriedout in the same way as in the original code.
• Security proof relies on:
H (e) ≤ H (r) and H (r |m, e) = 0 =⇒ I (m; e) = 0.
• Secure PM-MBR and PM-MSR codes are constructed in this way.
Secure DSSs | E. Rosnes 26 / 45
Distributed storage systems (DSSs) Security References
PM-MBR codes• Set β = 1, which implies that α = d at the MBR point.• Encoding matrix: Ψn×d =
[Φn×k ∆n×(d−k)
].
• Message matrix:
M d×d =(
Sk×k Tk×(d−k)TT
(d−k)×k 0(d−k)×(d−k)
).
• Requirements:• Any k rows of Φn×k are linearly independent.• Any d rows of ∆n×(d−k) are linearly independent.
• We can pick Ψn×d as a Vandermonde or Cauchy matrix.• For security:
• When the encoding matrix is restricted to the first ` columns, any ` rowsare linearly independent.
• Replace the message symbols in the first ` rows of the symmetric matrix Mby random symbols.
Secure DSSs | E. Rosnes 27 / 45
Distributed storage systems (DSSs) Security References
PM-MBR codes• Set β = 1, which implies that α = d at the MBR point.• Encoding matrix: Ψn×d =
[Φn×k ∆n×(d−k)
].
• Message matrix:
M d×d =(
Sk×k Tk×(d−k)TT
(d−k)×k 0(d−k)×(d−k)
).
• Requirements:• Any k rows of Φn×k are linearly independent.• Any d rows of ∆n×(d−k) are linearly independent.
• We can pick Ψn×d as a Vandermonde or Cauchy matrix.• For security:
• When the encoding matrix is restricted to the first ` columns, any ` rowsare linearly independent.
• Replace the message symbols in the first ` rows of the symmetric matrix Mby random symbols.
Secure DSSs | E. Rosnes 27 / 45
Distributed storage systems (DSSs) Security References
PM-MBR codes• Set β = 1, which implies that α = d at the MBR point.• Encoding matrix: Ψn×d =
[Φn×k ∆n×(d−k)
].
• Message matrix:
M d×d =(
Sk×k Tk×(d−k)TT
(d−k)×k 0(d−k)×(d−k)
).
• Requirements:• Any k rows of Φn×k are linearly independent.• Any d rows of ∆n×(d−k) are linearly independent.
• We can pick Ψn×d as a Vandermonde or Cauchy matrix.• For security:
• When the encoding matrix is restricted to the first ` columns, any ` rowsare linearly independent.
• Replace the message symbols in the first ` rows of the symmetric matrix Mby random symbols.
Secure DSSs | E. Rosnes 27 / 45
Distributed storage systems (DSSs) Security References
PM-MBR codes• Set β = 1, which implies that α = d at the MBR point.• Encoding matrix: Ψn×d =
[Φn×k ∆n×(d−k)
].
• Message matrix:
M d×d =(
Sk×k Tk×(d−k)TT
(d−k)×k 0(d−k)×(d−k)
).
• Requirements:• Any k rows of Φn×k are linearly independent.• Any d rows of ∆n×(d−k) are linearly independent.
• We can pick Ψn×d as a Vandermonde or Cauchy matrix.• For security:
• When the encoding matrix is restricted to the first ` columns, any ` rowsare linearly independent.
• Replace the message symbols in the first ` rows of the symmetric matrix Mby random symbols.
Secure DSSs | E. Rosnes 27 / 45
Distributed storage systems (DSSs) Security References
PM-MBR codes• Set β = 1, which implies that α = d at the MBR point.• Encoding matrix: Ψn×d =
[Φn×k ∆n×(d−k)
].
• Message matrix:
M d×d =(
Sk×k Tk×(d−k)TT
(d−k)×k 0(d−k)×(d−k)
).
• Requirements:• Any k rows of Φn×k are linearly independent.• Any d rows of ∆n×(d−k) are linearly independent.
• We can pick Ψn×d as a Vandermonde or Cauchy matrix.• For security:
• When the encoding matrix is restricted to the first ` columns, any ` rowsare linearly independent.
• Replace the message symbols in the first ` rows of the symmetric matrix Mby random symbols.
Secure DSSs | E. Rosnes 27 / 45
Distributed storage systems (DSSs) Security References
PM-MBR codes• Set β = 1, which implies that α = d at the MBR point.• Encoding matrix: Ψn×d =
[Φn×k ∆n×(d−k)
].
• Message matrix:
M d×d =(
Sk×k Tk×(d−k)TT
(d−k)×k 0(d−k)×(d−k)
).
• Requirements:• Any k rows of Φn×k are linearly independent.• Any d rows of ∆n×(d−k) are linearly independent.
• We can pick Ψn×d as a Vandermonde or Cauchy matrix.• For security:
• When the encoding matrix is restricted to the first ` columns, any ` rowsare linearly independent.
• Replace the message symbols in the first ` rows of the symmetric matrix Mby random symbols.
Secure DSSs | E. Rosnes 27 / 45
Distributed storage systems (DSSs) Security References
PM-MBR codes• Set β = 1, which implies that α = d at the MBR point.• Encoding matrix: Ψn×d =
[Φn×k ∆n×(d−k)
].
• Message matrix:
M d×d =(
Sk×k Tk×(d−k)TT
(d−k)×k 0(d−k)×(d−k)
).
• Requirements:• Any k rows of Φn×k are linearly independent.• Any d rows of ∆n×(d−k) are linearly independent.
• We can pick Ψn×d as a Vandermonde or Cauchy matrix.• For security:
• When the encoding matrix is restricted to the first ` columns, any ` rowsare linearly independent.
• Replace the message symbols in the first ` rows of the symmetric matrix Mby random symbols.
Secure DSSs | E. Rosnes 27 / 45
Distributed storage systems (DSSs) Security References
PM-MBR codes: Example• Let n = 6, k = 3, and d = 4. With β = 1, we get B = 9 and
M d×d =
u1 u2 u3 u7u2 u4 u5 u8u3 u5 u6 u9u7 u8 u9 0
.
• With ` = 1, we get
M d×d =
r1 r2 r3 r7r2 u4 u5 u8r3 u5 u6 u9r7 u8 u9 0
.
• Thus, Bs = 9− 4 = 5 (4 random symbols are used).• A similar approach works for PM-MSR codes.
Secure DSSs | E. Rosnes 28 / 45
Distributed storage systems (DSSs) Security References
PM-MBR codes: Example• Let n = 6, k = 3, and d = 4. With β = 1, we get B = 9 and
M d×d =
u1 u2 u3 u7u2 u4 u5 u8u3 u5 u6 u9u7 u8 u9 0
.
• With ` = 1, we get
M d×d =
r1 r2 r3 r7r2 u4 u5 u8r3 u5 u6 u9r7 u8 u9 0
.
• Thus, Bs = 9− 4 = 5 (4 random symbols are used).• A similar approach works for PM-MSR codes.
Secure DSSs | E. Rosnes 28 / 45
Distributed storage systems (DSSs) Security References
PM-MBR codes: Example• Let n = 6, k = 3, and d = 4. With β = 1, we get B = 9 and
M d×d =
u1 u2 u3 u7u2 u4 u5 u8u3 u5 u6 u9u7 u8 u9 0
.
• With ` = 1, we get
M d×d =
r1 r2 r3 r7r2 u4 u5 u8r3 u5 u6 u9r7 u8 u9 0
.
• Thus, Bs = 9− 4 = 5 (4 random symbols are used).• A similar approach works for PM-MSR codes.
Secure DSSs | E. Rosnes 28 / 45
Distributed storage systems (DSSs) Security References
PM-MBR codes: Example• Let n = 6, k = 3, and d = 4. With β = 1, we get B = 9 and
M d×d =
u1 u2 u3 u7u2 u4 u5 u8u3 u5 u6 u9u7 u8 u9 0
.
• With ` = 1, we get
M d×d =
r1 r2 r3 r7r2 u4 u5 u8r3 u5 u6 u9r7 u8 u9 0
.
• Thus, Bs = 9− 4 = 5 (4 random symbols are used).• A similar approach works for PM-MSR codes.
Secure DSSs | E. Rosnes 28 / 45
Distributed storage systems (DSSs) Security References
PM-MBR codes: Example• Let n = 6, k = 3, and d = 4. With β = 1, we get B = 9 and
M d×d =
u1 u2 u3 u7u2 u4 u5 u8u3 u5 u6 u9u7 u8 u9 0
.
• With ` = 1, we get
M d×d =
r1 r2 r3 r7r2 u4 u5 u8r3 u5 u6 u9r7 u8 u9 0
.
• Thus, Bs = 9− 4 = 5 (4 random symbols are used).• A similar approach works for PM-MSR codes.
Secure DSSs | E. Rosnes 28 / 45
Distributed storage systems (DSSs) Security References
PM-MBR codes: Example• Let n = 6, k = 3, and d = 4. With β = 1, we get B = 9 and
M d×d =
u1 u2 u3 u7u2 u4 u5 u8u3 u5 u6 u9u7 u8 u9 0
.
• With ` = 1, we get
M d×d =
r1 r2 r3 r7r2 u4 u5 u8r3 u5 u6 u9r7 u8 u9 0
.
• Thus, Bs = 9− 4 = 5 (4 random symbols are used).• A similar approach works for PM-MSR codes.
Secure DSSs | E. Rosnes 28 / 45
Distributed storage systems (DSSs) Security References
PM-MBR codes: Example
r1 + r2 + r3 + r7
r2 + u4 + u5 + u8
r3 + u5 + u6 + u9
r7 + u8 + u9
r1 + 3r2 + 9r3 + r7
r2 + 3u4 + 9u5 + u8
r3 + 3u5 + 9u6 + u9
r7 + 3u8 + 9u9
r1 + 5r2 + 12r3 + 8r7
r2 + 5u4 + 12u5 + 8u8
r3 + 5u5 + 12u6 + 8u9
r7 + 5u8 + 12u9
r1 + 7r2 + 10r3 + 5r7
r2 + 7u4 + 10u5 + 5u8
r3 + 7u5 + 10u6 + 5u9
r7 + 7u8 + 10u9
r1 + 9r2 + 3r3 + r7
r2 + 9u4 + 3u5 + u8
r3 + 9u5 + 3u6 + u9
r7 + 9u8 + 3u9
r1 + 11r2 + 4r3 + 5r7
r2 + 11u4 + 4u5 + 5u8
r3 + 11u5 + 4u6 + 5u9
r7 + 11u8 + 4u98×
12×5×1×
Σ Σ Σ Σ
• Vandermonde encoding matrix over F13.• The system is secure for ` = 1.• Repair follows the repair scheme of PM-MBR codes.
Secure DSSs | E. Rosnes 29 / 45
Distributed storage systems (DSSs) Security References
PM-MBR codes: Example
r1 + r2 + r3 + r7
r2 + u4 + u5 + u8
r3 + u5 + u6 + u9
r7 + u8 + u9
r1 + 3r2 + 9r3 + r7
r2 + 3u4 + 9u5 + u8
r3 + 3u5 + 9u6 + u9
r7 + 3u8 + 9u9
r1 + 5r2 + 12r3 + 8r7
r2 + 5u4 + 12u5 + 8u8
r3 + 5u5 + 12u6 + 8u9
r7 + 5u8 + 12u9
r1 + 7r2 + 10r3 + 5r7
r2 + 7u4 + 10u5 + 5u8
r3 + 7u5 + 10u6 + 5u9
r7 + 7u8 + 10u9
r1 + 9r2 + 3r3 + r7
r2 + 9u4 + 3u5 + u8
r3 + 9u5 + 3u6 + u9
r7 + 9u8 + 3u9
r1 + 11r2 + 4r3 + 5r7
r2 + 11u4 + 4u5 + 5u8
r3 + 11u5 + 4u6 + 5u9
r7 + 11u8 + 4u98×
12×5×1×
Σ Σ Σ Σ
• Vandermonde encoding matrix over F13.• The system is secure for ` = 1.• Repair follows the repair scheme of PM-MBR codes.
Secure DSSs | E. Rosnes 29 / 45
Distributed storage systems (DSSs) Security References
PM-MBR codes: Example
r1 + r2 + r3 + r7
r2 + u4 + u5 + u8
r3 + u5 + u6 + u9
r7 + u8 + u9
r1 + 3r2 + 9r3 + r7
r2 + 3u4 + 9u5 + u8
r3 + 3u5 + 9u6 + u9
r7 + 3u8 + 9u9
r1 + 5r2 + 12r3 + 8r7
r2 + 5u4 + 12u5 + 8u8
r3 + 5u5 + 12u6 + 8u9
r7 + 5u8 + 12u9
r1 + 7r2 + 10r3 + 5r7
r2 + 7u4 + 10u5 + 5u8
r3 + 7u5 + 10u6 + 5u9
r7 + 7u8 + 10u9
r1 + 9r2 + 3r3 + r7
r2 + 9u4 + 3u5 + u8
r3 + 9u5 + 3u6 + u9
r7 + 9u8 + 3u9
r1 + 11r2 + 4r3 + 5r7
r2 + 11u4 + 4u5 + 5u8
r3 + 11u5 + 4u6 + 5u9
r7 + 11u8 + 4u98×
12×5×1×
Σ Σ Σ Σ
• Vandermonde encoding matrix over F13.• The system is secure for ` = 1.• Repair follows the repair scheme of PM-MBR codes.
Secure DSSs | E. Rosnes 29 / 45
Distributed storage systems (DSSs) Security References
PM-MBR codes: Example
r1 + r2 + r3 + r7
r2 + u4 + u5 + u8
r3 + u5 + u6 + u9
r7 + u8 + u9
r1 + 3r2 + 9r3 + r7
r2 + 3u4 + 9u5 + u8
r3 + 3u5 + 9u6 + u9
r7 + 3u8 + 9u9
r1 + 5r2 + 12r3 + 8r7
r2 + 5u4 + 12u5 + 8u8
r3 + 5u5 + 12u6 + 8u9
r7 + 5u8 + 12u9
r1 + 7r2 + 10r3 + 5r7
r2 + 7u4 + 10u5 + 5u8
r3 + 7u5 + 10u6 + 5u9
r7 + 7u8 + 10u9
r1 + 9r2 + 3r3 + r7
r2 + 9u4 + 3u5 + u8
r3 + 9u5 + 3u6 + u9
r7 + 9u8 + 3u9
r1 + 11r2 + 4r3 + 5r7
r2 + 11u4 + 4u5 + 5u8
r3 + 11u5 + 4u6 + 5u9
r7 + 11u8 + 4u98×
12×5×1×
Σ Σ Σ Σ
• Vandermonde encoding matrix over F13.• The system is secure for ` = 1.• Repair follows the repair scheme of PM-MBR codes.
Secure DSSs | E. Rosnes 29 / 45
Distributed storage systems (DSSs) Security References
PM-MBR codes: Example
r1 + r2 + r3 + r7
r2 + u4 + u5 + u8
r3 + u5 + u6 + u9
r7 + u8 + u9
r1 + 3r2 + 9r3 + r7
r2 + 3u4 + 9u5 + u8
r3 + 3u5 + 9u6 + u9
r7 + 3u8 + 9u9
r1 + 5r2 + 12r3 + 8r7
r2 + 5u4 + 12u5 + 8u8
r3 + 5u5 + 12u6 + 8u9
r7 + 5u8 + 12u9
r1 + 7r2 + 10r3 + 5r7
r2 + 7u4 + 10u5 + 5u8
r3 + 7u5 + 10u6 + 5u9
r7 + 7u8 + 10u9
r1 + 9r2 + 3r3 + r7
r2 + 9u4 + 3u5 + u8
r3 + 9u5 + 3u6 + u9
r7 + 9u8 + 3u9
r1 + 11r2 + 4r3 + 5r7
r2 + 11u4 + 4u5 + 5u8
r3 + 11u5 + 4u6 + 5u9
r7 + 11u8 + 4u98×
12×5×1×
Σ Σ Σ Σ
• Vandermonde encoding matrix over F13.• The system is secure for ` = 1.• Repair follows the repair scheme of PM-MBR codes.
Secure DSSs | E. Rosnes 29 / 45
Distributed storage systems (DSSs) Security References
Code construction from [9, 11]
m̃ = (m, r) (k̃, k̃)Gabidulin encoding
(n, k̃)Storage code
c = (c1, c2, . . . , cn)
CharacteristicsZero information leakage.Has repair cost same the (n, k̃) storage code.High complexity.Code rate (k/n) less than the design code rate (k̃/n).
[11] S. Kumar, E. Rosnes, A. Graell i Amat, ”Secure repairable Fountain codes,” IEEE Commun. Letters, vol. 20, no. 8, pp. 1491–1494, Aug. 2016.
Secure DSSs | E. Rosnes 30 / 45
Distributed storage systems (DSSs) Security References
Code construction from [9, 11]
m̃ = (m, r) (k̃, k̃)Gabidulin encoding
(n, k̃)Storage code
c = (c1, c2, . . . , cn)
CharacteristicsZero information leakage.Has repair cost same the (n, k̃) storage code.High complexity.Code rate (k/n) less than the design code rate (k̃/n).
[11] S. Kumar, E. Rosnes, A. Graell i Amat, ”Secure repairable Fountain codes,” IEEE Commun. Letters, vol. 20, no. 8, pp. 1491–1494, Aug. 2016.
Secure DSSs | E. Rosnes 30 / 45
Distributed storage systems (DSSs) Security References
Code construction from [9, 11]
m̃ = (m, r) (k̃, k̃)Gabidulin encoding
(n, k̃)Storage code
c = (c1, c2, . . . , cn)
CharacteristicsZero information leakage.Has repair cost same the (n, k̃) storage code.High complexity.Code rate (k/n) less than the design code rate (k̃/n).
[11] S. Kumar, E. Rosnes, A. Graell i Amat, ”Secure repairable Fountain codes,” IEEE Commun. Letters, vol. 20, no. 8, pp. 1491–1494, Aug. 2016.
Secure DSSs | E. Rosnes 30 / 45
Distributed storage systems (DSSs) Security References
(n, k) Gabidulin codes
EncodingEncoding of message m = (m1, . . . ,mk) ∈ Fk
qp is as follows:
1. Construct a linear polynomial: f (y) =∑k
i=1 miyqi−1 .2. Evaluate the polynomial at n points to obtain the codeword
c = (c1, . . . , cn) = (f (y1), f (y2), . . . , f (yn)) ∈ Fnqp .
DecodingThe message m is obtained from c as follows:
1. Obtain k code symbols.2. Perform polynomial interpolation to get m.
Secure DSSs | E. Rosnes 31 / 45
Distributed storage systems (DSSs) Security References
(n, k) Gabidulin codes
EncodingEncoding of message m = (m1, . . . ,mk) ∈ Fk
qp is as follows:
1. Construct a linear polynomial: f (y) =∑k
i=1 miyqi−1 .2. Evaluate the polynomial at n points to obtain the codeword
c = (c1, . . . , cn) = (f (y1), f (y2), . . . , f (yn)) ∈ Fnqp .
DecodingThe message m is obtained from c as follows:
1. Obtain k code symbols.2. Perform polynomial interpolation to get m.
Secure DSSs | E. Rosnes 31 / 45
Distributed storage systems (DSSs) Security References
(n, k) Gabidulin codes
EncodingEncoding of message m = (m1, . . . ,mk) ∈ Fk
qp is as follows:
1. Construct a linear polynomial: f (y) =∑k
i=1 miyqi−1 .2. Evaluate the polynomial at n points to obtain the codeword
c = (c1, . . . , cn) = (f (y1), f (y2), . . . , f (yn)) ∈ Fnqp .
DecodingThe message m is obtained from c as follows:
1. Obtain k code symbols.2. Perform polynomial interpolation to get m.
Secure DSSs | E. Rosnes 31 / 45
Distributed storage systems (DSSs) Security References
(n, k) Gabidulin codes
EncodingEncoding of message m = (m1, . . . ,mk) ∈ Fk
qp is as follows:
1. Construct a linear polynomial: f (y) =∑k
i=1 miyqi−1 .2. Evaluate the polynomial at n points to obtain the codeword
c = (c1, . . . , cn) = (f (y1), f (y2), . . . , f (yn)) ∈ Fnqp .
DecodingThe message m is obtained from c as follows:
1. Obtain k code symbols.2. Perform polynomial interpolation to get m.
Secure DSSs | E. Rosnes 31 / 45
Distributed storage systems (DSSs) Security References
(n, k) Gabidulin codes
EncodingEncoding of message m = (m1, . . . ,mk) ∈ Fk
qp is as follows:
1. Construct a linear polynomial: f (y) =∑k
i=1 miyqi−1 .2. Evaluate the polynomial at n points to obtain the codeword
c = (c1, . . . , cn) = (f (y1), f (y2), . . . , f (yn)) ∈ Fnqp .
DecodingThe message m is obtained from c as follows:
1. Obtain k code symbols.2. Perform polynomial interpolation to get m.
Secure DSSs | E. Rosnes 31 / 45
Distributed storage systems (DSSs) Security References
(n, k) Gabidulin codes
EncodingEncoding of message m = (m1, . . . ,mk) ∈ Fk
qp is as follows:
1. Construct a linear polynomial: f (y) =∑k
i=1 miyqi−1 .2. Evaluate the polynomial at n points to obtain the codeword
c = (c1, . . . , cn) = (f (y1), f (y2), . . . , f (yn)) ∈ Fnqp .
DecodingThe message m is obtained from c as follows:
1. Obtain k code symbols.2. Perform polynomial interpolation to get m.
Secure DSSs | E. Rosnes 31 / 45
Distributed storage systems (DSSs) Security References
(n, k) Repairable fountain code
EncodingGiven m = (m1, . . . ,mk) ∈ Fk
qp , n − k parity symbols are constructed asfollows:
1. Select ξ = O(log k) message symbols with replacement.2. For each of these message symbols, uniformly select a coefficient from Fq.3. Parity symbol is formed from a weighted linear combination of selected
message and corresponding coefficients.
Properties1. Locality of ξ.2. Parallel reads.
Secure DSSs | E. Rosnes 32 / 45
Distributed storage systems (DSSs) Security References
(n, k) Repairable fountain code
EncodingGiven m = (m1, . . . ,mk) ∈ Fk
qp , n − k parity symbols are constructed asfollows:
1. Select ξ = O(log k) message symbols with replacement.2. For each of these message symbols, uniformly select a coefficient from Fq.3. Parity symbol is formed from a weighted linear combination of selected
message and corresponding coefficients.
Properties1. Locality of ξ.2. Parallel reads.
Secure DSSs | E. Rosnes 32 / 45
Distributed storage systems (DSSs) Security References
(n, k) Repairable fountain code
EncodingGiven m = (m1, . . . ,mk) ∈ Fk
qp , n − k parity symbols are constructed asfollows:
1. Select ξ = O(log k) message symbols with replacement.2. For each of these message symbols, uniformly select a coefficient from Fq.3. Parity symbol is formed from a weighted linear combination of selected
message and corresponding coefficients.
Properties1. Locality of ξ.2. Parallel reads.
Secure DSSs | E. Rosnes 32 / 45
Distributed storage systems (DSSs) Security References
(n, k) Repairable fountain code
EncodingGiven m = (m1, . . . ,mk) ∈ Fk
qp , n − k parity symbols are constructed asfollows:
1. Select ξ = O(log k) message symbols with replacement.2. For each of these message symbols, uniformly select a coefficient from Fq.3. Parity symbol is formed from a weighted linear combination of selected
message and corresponding coefficients.
Properties1. Locality of ξ.2. Parallel reads.
Secure DSSs | E. Rosnes 32 / 45
Distributed storage systems (DSSs) Security References
(n, k) Repairable fountain code
EncodingGiven m = (m1, . . . ,mk) ∈ Fk
qp , n − k parity symbols are constructed asfollows:
1. Select ξ = O(log k) message symbols with replacement.2. For each of these message symbols, uniformly select a coefficient from Fq.3. Parity symbol is formed from a weighted linear combination of selected
message and corresponding coefficients.
Properties1. Locality of ξ.2. Parallel reads.
Secure DSSs | E. Rosnes 32 / 45
Distributed storage systems (DSSs) Security References
Achieving security constraint: I (m; e) = 0
Rawat et al. [9] and othersH (e) ≤ H (r) and H (r |m, e) = 0 =⇒ I (m; e) = 0.
In [11]H (r |m, e) = H (r)−H (e)⇔ I (m; e) = 0.
The necessary condition is required since unlike traditional LRCs, which havedisjoint local repair groups, RFCs may also have overlapping repair groups.
Secure DSSs | E. Rosnes 33 / 45
Distributed storage systems (DSSs) Security References
Achieving security constraint: I (m; e) = 0
Rawat et al. [9] and othersH (e) ≤ H (r) and H (r |m, e) = 0 =⇒ I (m; e) = 0.
In [11]H (r |m, e) = H (r)−H (e)⇔ I (m; e) = 0.
The necessary condition is required since unlike traditional LRCs, which havedisjoint local repair groups, RFCs may also have overlapping repair groups.
Secure DSSs | E. Rosnes 33 / 45
Distributed storage systems (DSSs) Security References
Achieving security constraint: I (m; e) = 0
Rawat et al. [9] and othersH (e) ≤ H (r) and H (r |m, e) = 0 =⇒ I (m; e) = 0.
In [11]H (r |m, e) = H (r)−H (e)⇔ I (m; e) = 0.
The necessary condition is required since unlike traditional LRCs, which havedisjoint local repair groups, RFCs may also have overlapping repair groups.
Secure DSSs | E. Rosnes 33 / 45
Distributed storage systems (DSSs) Security References
Issues with perfect secrecy
• Perfect secrecy is obtained at the cost of lowering the storage capacity.• One has to specify beforehand the strength of the adversary.• When the strength of the adversary is exceeded, nothing is guaranteed on
the security of the system.• Perfect secrecy is either too strict and might not be even necessary, or too
costly and might not be affordable.
Weaker security levels at lower costs are needed!!!
Secure DSSs | E. Rosnes 34 / 45
Distributed storage systems (DSSs) Security References
Issues with perfect secrecy
• Perfect secrecy is obtained at the cost of lowering the storage capacity.• One has to specify beforehand the strength of the adversary.• When the strength of the adversary is exceeded, nothing is guaranteed on
the security of the system.• Perfect secrecy is either too strict and might not be even necessary, or too
costly and might not be affordable.
Weaker security levels at lower costs are needed!!!
Secure DSSs | E. Rosnes 34 / 45
Distributed storage systems (DSSs) Security References
Issues with perfect secrecy
• Perfect secrecy is obtained at the cost of lowering the storage capacity.• One has to specify beforehand the strength of the adversary.• When the strength of the adversary is exceeded, nothing is guaranteed on
the security of the system.• Perfect secrecy is either too strict and might not be even necessary, or too
costly and might not be affordable.
Weaker security levels at lower costs are needed!!!
Secure DSSs | E. Rosnes 34 / 45
Distributed storage systems (DSSs) Security References
Issues with perfect secrecy
• Perfect secrecy is obtained at the cost of lowering the storage capacity.• One has to specify beforehand the strength of the adversary.• When the strength of the adversary is exceeded, nothing is guaranteed on
the security of the system.• Perfect secrecy is either too strict and might not be even necessary, or too
costly and might not be affordable.
Weaker security levels at lower costs are needed!!!
Secure DSSs | E. Rosnes 34 / 45
Distributed storage systems (DSSs) Security References
Issues with perfect secrecy
• Perfect secrecy is obtained at the cost of lowering the storage capacity.• One has to specify beforehand the strength of the adversary.• When the strength of the adversary is exceeded, nothing is guaranteed on
the security of the system.• Perfect secrecy is either too strict and might not be even necessary, or too
costly and might not be affordable.
Weaker security levels at lower costs are needed!!!
Secure DSSs | E. Rosnes 34 / 45
Distributed storage systems (DSSs) Security References
Block security [12]• The concept of block security (or security against guessing) is taken from
the network coding literature [13].
Block securityA code is b-block secure against an adversary of strength `, if the adversary,which accesses at most ` storage nodes, gains no information about any groupof b data symbols.
• Examples:• 1-block security (weak security) implies that no individual data symbol is
revealed.• 2-block security implies that no information on any group of two data
symbols is revealed.• B-block security (B is the file size) implies perfect security.
[12] S. H. Dau, W. Song, and C. Yuen, “On block security of regenerating codes at the MBR point for distributed storage systems,” in Proc IEEE Int.Symp. Inf. Theory (ISIT), Honolulu, HI, Jun./Jul. 2014, pp. 1967–1971.[13] K. Bhattad and K. R. Narayanan, “Weakly secure network coding,” in Proc. First Workshop on Network Coding, Theory, and Applications(NetCod), Riva del Garda, Italy, Apr. 2005.
Secure DSSs | E. Rosnes 35 / 45
Distributed storage systems (DSSs) Security References
Block security [12]• The concept of block security (or security against guessing) is taken from
the network coding literature [13].
Block securityA code is b-block secure against an adversary of strength `, if the adversary,which accesses at most ` storage nodes, gains no information about any groupof b data symbols.
• Examples:• 1-block security (weak security) implies that no individual data symbol is
revealed.• 2-block security implies that no information on any group of two data
symbols is revealed.• B-block security (B is the file size) implies perfect security.
[12] S. H. Dau, W. Song, and C. Yuen, “On block security of regenerating codes at the MBR point for distributed storage systems,” in Proc IEEE Int.Symp. Inf. Theory (ISIT), Honolulu, HI, Jun./Jul. 2014, pp. 1967–1971.[13] K. Bhattad and K. R. Narayanan, “Weakly secure network coding,” in Proc. First Workshop on Network Coding, Theory, and Applications(NetCod), Riva del Garda, Italy, Apr. 2005.
Secure DSSs | E. Rosnes 35 / 45
Distributed storage systems (DSSs) Security References
Block security [12]• The concept of block security (or security against guessing) is taken from
the network coding literature [13].
Block securityA code is b-block secure against an adversary of strength `, if the adversary,which accesses at most ` storage nodes, gains no information about any groupof b data symbols.
• Examples:• 1-block security (weak security) implies that no individual data symbol is
revealed.• 2-block security implies that no information on any group of two data
symbols is revealed.• B-block security (B is the file size) implies perfect security.
[12] S. H. Dau, W. Song, and C. Yuen, “On block security of regenerating codes at the MBR point for distributed storage systems,” in Proc IEEE Int.Symp. Inf. Theory (ISIT), Honolulu, HI, Jun./Jul. 2014, pp. 1967–1971.[13] K. Bhattad and K. R. Narayanan, “Weakly secure network coding,” in Proc. First Workshop on Network Coding, Theory, and Applications(NetCod), Riva del Garda, Italy, Apr. 2005.
Secure DSSs | E. Rosnes 35 / 45
Distributed storage systems (DSSs) Security References
Block security [12]• The concept of block security (or security against guessing) is taken from
the network coding literature [13].
Block securityA code is b-block secure against an adversary of strength `, if the adversary,which accesses at most ` storage nodes, gains no information about any groupof b data symbols.
• Examples:• 1-block security (weak security) implies that no individual data symbol is
revealed.• 2-block security implies that no information on any group of two data
symbols is revealed.• B-block security (B is the file size) implies perfect security.
[12] S. H. Dau, W. Song, and C. Yuen, “On block security of regenerating codes at the MBR point for distributed storage systems,” in Proc IEEE Int.Symp. Inf. Theory (ISIT), Honolulu, HI, Jun./Jul. 2014, pp. 1967–1971.[13] K. Bhattad and K. R. Narayanan, “Weakly secure network coding,” in Proc. First Workshop on Network Coding, Theory, and Applications(NetCod), Riva del Garda, Italy, Apr. 2005.
Secure DSSs | E. Rosnes 35 / 45
Distributed storage systems (DSSs) Security References
Block security [12]• The concept of block security (or security against guessing) is taken from
the network coding literature [13].
Block securityA code is b-block secure against an adversary of strength `, if the adversary,which accesses at most ` storage nodes, gains no information about any groupof b data symbols.
• Examples:• 1-block security (weak security) implies that no individual data symbol is
revealed.• 2-block security implies that no information on any group of two data
symbols is revealed.• B-block security (B is the file size) implies perfect security.
[12] S. H. Dau, W. Song, and C. Yuen, “On block security of regenerating codes at the MBR point for distributed storage systems,” in Proc IEEE Int.Symp. Inf. Theory (ISIT), Honolulu, HI, Jun./Jul. 2014, pp. 1967–1971.[13] K. Bhattad and K. R. Narayanan, “Weakly secure network coding,” in Proc. First Workshop on Network Coding, Theory, and Applications(NetCod), Riva del Garda, Italy, Apr. 2005.
Secure DSSs | E. Rosnes 35 / 45
Distributed storage systems (DSSs) Security References
Block securityLemma [12]A code is b-block secure iff no linear combination of at most b data symbolscan be deduced by the adversary, assuming
• the data symbols are all independent and identically uniformly distributedrandom variables over Fq, and
• the coding scheme is linear.
x1 x1 + x2 x1 + x2 + x3 x1 + r
x2 x2 + x3 x2 + x3 + x4 x2 + r
x3 x4 + x5 x3 + x4 + x5 x1 + x2 + r
Insecure 1-block secure 2-block secure Perfectly secure
Secure DSSs | E. Rosnes 36 / 45
Distributed storage systems (DSSs) Security References
Block securityLemma [12]A code is b-block secure iff no linear combination of at most b data symbolscan be deduced by the adversary, assuming
• the data symbols are all independent and identically uniformly distributedrandom variables over Fq, and
• the coding scheme is linear.
x1 x1 + x2 x1 + x2 + x3 x1 + r
x2 x2 + x3 x2 + x3 + x4 x2 + r
x3 x4 + x5 x3 + x4 + x5 x1 + x2 + r
Insecure 1-block secure 2-block secure Perfectly secure
Secure DSSs | E. Rosnes 36 / 45
Distributed storage systems (DSSs) Security References
Block securityLemma [12]A code is b-block secure iff no linear combination of at most b data symbolscan be deduced by the adversary, assuming
• the data symbols are all independent and identically uniformly distributedrandom variables over Fq, and
• the coding scheme is linear.
x1 x1 + x2 x1 + x2 + x3 x1 + r
x2 x2 + x3 x2 + x3 + x4 x2 + r
x3 x4 + x5 x3 + x4 + x5 x1 + x2 + r
Insecure 1-block secure 2-block secure Perfectly secure
Secure DSSs | E. Rosnes 36 / 45
Distributed storage systems (DSSs) Security References
Block securityLemma [12]A code is b-block secure iff no linear combination of at most b data symbolscan be deduced by the adversary, assuming
• the data symbols are all independent and identically uniformly distributedrandom variables over Fq, and
• the coding scheme is linear.
x1 x1 + x2 x1 + x2 + x3 x1 + r
x2 x2 + x3 x2 + x3 + x4 x2 + r
x3 x4 + x5 x3 + x4 + x5 x1 + x2 + r
Insecure 1-block secure 2-block secure Perfectly secure
Secure DSSs | E. Rosnes 36 / 45
Distributed storage systems (DSSs) Security References
Block securityLemma [12]A code is b-block secure iff no linear combination of at most b data symbolscan be deduced by the adversary, assuming
• the data symbols are all independent and identically uniformly distributedrandom variables over Fq, and
• the coding scheme is linear.
x1 x1 + x2 x1 + x2 + x3 x1 + r
x2 x2 + x3 x2 + x3 + x4 x2 + r
x3 x4 + x5 x3 + x4 + x5 x1 + x2 + r
Insecure 1-block secure 2-block secure Perfectly secure
Secure DSSs | E. Rosnes 36 / 45
Distributed storage systems (DSSs) Security References
Block securityLemma [12]A code is b-block secure iff no linear combination of at most b data symbolscan be deduced by the adversary, assuming
• the data symbols are all independent and identically uniformly distributedrandom variables over Fq, and
• the coding scheme is linear.
x1 x1 + x2 x1 + x2 + x3 x1 + r
x2 x2 + x3 x2 + x3 + x4 x2 + r
x3 x4 + x5 x3 + x4 + x5 x1 + x2 + r
Insecure 1-block secure 2-block secure Perfectly secure
Secure DSSs | E. Rosnes 36 / 45
Distributed storage systems (DSSs) Security References
Block securityLemma [12]A code is b-block secure iff no linear combination of at most b data symbolscan be deduced by the adversary, assuming
• the data symbols are all independent and identically uniformly distributedrandom variables over Fq, and
• the coding scheme is linear.
x1 x1 + x2 x1 + x2 + x3 x1 + r
x2 x2 + x3 x2 + x3 + x4 x2 + r
x3 x4 + x5 x3 + x4 + x5 x1 + x2 + r
Insecure 1-block secure 2-block secure Perfectly secure
Secure DSSs | E. Rosnes 36 / 45
Distributed storage systems (DSSs) Security References
Block securityLemma [12]A code is b-block secure iff no linear combination of at most b data symbolscan be deduced by the adversary, assuming
• the data symbols are all independent and identically uniformly distributedrandom variables over Fq, and
• the coding scheme is linear.
x1 x1 + x2 x1 + x2 + x3 x1 + r
x2 x2 + x3 x2 + x3 + x4 x2 + r
x3 x4 + x5 x3 + x4 + x5 x1 + x2 + r
Insecure 1-block secure 2-block secure Perfectly secure
Secure DSSs | E. Rosnes 36 / 45
Distributed storage systems (DSSs) Security References
Necessary and sufficient condition
Lemma ([12, Lem. 3])Let x ∈ FB
q be the stored file and ExT the eavesdropped symbols. Let C bethe code generated by E. Then, the adversary cannot deduce any nontriviallinear combination of at most b data symbols iff b ≤ dmin(C)− 1.
Secure DSSs | E. Rosnes 37 / 45
Distributed storage systems (DSSs) Security References
Example• Let n = 4, k = 2, and d = 3. For β = 1, we have B = kd −
(k2)
= 5(MBR point). For encoding, we choose the Vandermonde matrix
1 1 1 1 11 3 9 1 31 5 12 8 11 7 10 5 91 9 3 1 91 11 4 5 3
g1g2g3g4g5g6
over F13.• An adversary which accesses one node (` = 1) obtains d = 3 distinct
coded symbols.• Suppose these are g1xT , g2xT , and g5xT .• The minimum distance of C is one!!!• The code is not even weakly secure against an adversary of strength one.
Secure DSSs | E. Rosnes 38 / 45
Distributed storage systems (DSSs) Security References
Example• Let n = 4, k = 2, and d = 3. For β = 1, we have B = kd −
(k2)
= 5(MBR point). For encoding, we choose the Vandermonde matrix
1 1 1 1 11 3 9 1 31 5 12 8 11 7 10 5 91 9 3 1 91 11 4 5 3
g1g2g3g4g5g6
over F13.• An adversary which accesses one node (` = 1) obtains d = 3 distinct
coded symbols.• Suppose these are g1xT , g2xT , and g5xT .• The minimum distance of C is one!!!• The code is not even weakly secure against an adversary of strength one.
Secure DSSs | E. Rosnes 38 / 45
Distributed storage systems (DSSs) Security References
Example• Let n = 4, k = 2, and d = 3. For β = 1, we have B = kd −
(k2)
= 5(MBR point). For encoding, we choose the Vandermonde matrix
1 1 1 1 11 3 9 1 31 5 12 8 11 7 10 5 91 9 3 1 91 11 4 5 3
g1g2g3g4g5g6
over F13.• An adversary which accesses one node (` = 1) obtains d = 3 distinct
coded symbols.• Suppose these are g1xT , g2xT , and g5xT .• The minimum distance of C is one!!!• The code is not even weakly secure against an adversary of strength one.
Secure DSSs | E. Rosnes 38 / 45
Distributed storage systems (DSSs) Security References
Example• Let n = 4, k = 2, and d = 3. For β = 1, we have B = kd −
(k2)
= 5(MBR point). For encoding, we choose the Vandermonde matrix
1 1 1 1 11 3 9 1 31 5 12 8 11 7 10 5 91 9 3 1 91 11 4 5 3
g1g2g3g4g5g6
over F13.• An adversary which accesses one node (` = 1) obtains d = 3 distinct
coded symbols.• Suppose these are g1xT , g2xT , and g5xT .• The minimum distance of C is one!!!• The code is not even weakly secure against an adversary of strength one.
Secure DSSs | E. Rosnes 38 / 45
Distributed storage systems (DSSs) Security References
Example• Let n = 4, k = 2, and d = 3. For β = 1, we have B = kd −
(k2)
= 5(MBR point). For encoding, we choose the Vandermonde matrix
1 1 1 1 11 3 9 1 31 5 12 8 11 7 10 5 91 9 3 1 91 11 4 5 3
g1g2g3g4g5g6
over F13.• An adversary which accesses one node (` = 1) obtains d = 3 distinct
coded symbols.• Suppose these are g1xT , g2xT , and g5xT .• The minimum distance of C is one!!!• The code is not even weakly secure against an adversary of strength one.
Secure DSSs | E. Rosnes 38 / 45
Distributed storage systems (DSSs) Security References
Example• Let n = 4, k = 2, and d = 3. For β = 1, we have B = kd −
(k2)
= 5(MBR point). For encoding, we choose the Vandermonde matrix
1 1 1 1 11 3 9 1 31 5 12 8 11 7 10 5 91 9 3 1 91 11 4 5 3
g1g2g3g4g5g6
over F13.• An adversary which accesses one node (` = 1) obtains d = 3 distinct
coded symbols.• Suppose these are g1xT , g2xT , and g5xT .• The minimum distance of C is one!!!• The code is not even weakly secure against an adversary of strength one.
Secure DSSs | E. Rosnes 38 / 45
Distributed storage systems (DSSs) Security References
Example: Security level b versus `
0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 50
2
4
6
8
10
12
14
16
18
20
Adversarial strength `
Secu
rity
level
b
PM-MBR code (n = 7, k = 5, d = 6, B = 20)
Secure DSSs | E. Rosnes 39 / 45
Distributed storage systems (DSSs) Security References
Example: Security level b versus `
0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 50
2
4
6
8
10
12
14
16
18
20
Adversarial strength `
Secu
rity
level
b
PM-MBR code (n = 7, k = 5, d = 6, B = 20)Secure PM-MBR code (n = 7, k = 5, d = 6, Bs = 9)
Secure DSSs | E. Rosnes 39 / 45
Distributed storage systems (DSSs) Security References
A coset coding approach [14, 15]
How does it work?
• A coset outer code is constructed using a (B,B − Bs) linear code C overFq with parity-check matrix H .
• The message m is encoded by selecting uniformly at random some x ∈ FBq
such that m = HxT .• m is a syndrome specifying a coset of C, and the codeword x is a
randomly chosen element of that coset.
[14] S. Kadhe and A. Sprintson “Weakly secure regenerating codes for distributed storage,” in Proc. Int. Symp. Network Coding (NetCod), Aalborg,Denmark, Jun. 2014.[15] L. H. Ozarow and A. D. Wyner, “The wire-tap channel II,” Bell Syst. Tech. J., vol. 63, pp. 2135–2157, 1984.
Secure DSSs | E. Rosnes 40 / 45
Distributed storage systems (DSSs) Security References
A coset coding approach [14, 15]
How does it work?
• A coset outer code is constructed using a (B,B − Bs) linear code C overFq with parity-check matrix H .
• The message m is encoded by selecting uniformly at random some x ∈ FBq
such that m = HxT .• m is a syndrome specifying a coset of C, and the codeword x is a
randomly chosen element of that coset.
[14] S. Kadhe and A. Sprintson “Weakly secure regenerating codes for distributed storage,” in Proc. Int. Symp. Network Coding (NetCod), Aalborg,Denmark, Jun. 2014.[15] L. H. Ozarow and A. D. Wyner, “The wire-tap channel II,” Bell Syst. Tech. J., vol. 63, pp. 2135–2157, 1984.
Secure DSSs | E. Rosnes 40 / 45
Distributed storage systems (DSSs) Security References
A coset coding approach [14, 15]
How does it work?
• A coset outer code is constructed using a (B,B − Bs) linear code C overFq with parity-check matrix H .
• The message m is encoded by selecting uniformly at random some x ∈ FBq
such that m = HxT .• m is a syndrome specifying a coset of C, and the codeword x is a
randomly chosen element of that coset.
[14] S. Kadhe and A. Sprintson “Weakly secure regenerating codes for distributed storage,” in Proc. Int. Symp. Network Coding (NetCod), Aalborg,Denmark, Jun. 2014.[15] L. H. Ozarow and A. D. Wyner, “The wire-tap channel II,” Bell Syst. Tech. J., vol. 63, pp. 2135–2157, 1984.
Secure DSSs | E. Rosnes 40 / 45
Distributed storage systems (DSSs) Security References
A coset coding approach [14, 15]
How does it work?
• A coset outer code is constructed using a (B,B − Bs) linear code C overFq with parity-check matrix H .
• The message m is encoded by selecting uniformly at random some x ∈ FBq
such that m = HxT .• m is a syndrome specifying a coset of C, and the codeword x is a
randomly chosen element of that coset.
[14] S. Kadhe and A. Sprintson “Weakly secure regenerating codes for distributed storage,” in Proc. Int. Symp. Network Coding (NetCod), Aalborg,Denmark, Jun. 2014.[15] L. H. Ozarow and A. D. Wyner, “The wire-tap channel II,” Bell Syst. Tech. J., vol. 63, pp. 2135–2157, 1984.
Secure DSSs | E. Rosnes 40 / 45
Distributed storage systems (DSSs) Security References
How to pick the outer code?• We need a condition involving H ([16, Lem. 6]).
LemmaAssume an outer code defined by H and an exact regenerating code for theinner code. Suppose each message symbol mi is chosen uniformly andindependently. Let e = Ex be µ linearly independent eavesdropped symbols.Then,
I (mI , e) = rank(HI) + rank(E)− rank(
HIE
)for any index subset I of m such that |I| ≤ B − µ.
A specific construction for H was given in [14] for PM-MBR codes. Furtherresults were recently presented at ITA 2017.
[16] D. Silva and F. R. Kschischang, “Universal secure network coding via rank-metric codes,” IEEE Trans. Inf. Theory, vol. 57, no. 2, pp.1124–1135, Feb. 2011.
Secure DSSs | E. Rosnes 41 / 45
Distributed storage systems (DSSs) Security References
How to pick the outer code?• We need a condition involving H ([16, Lem. 6]).
LemmaAssume an outer code defined by H and an exact regenerating code for theinner code. Suppose each message symbol mi is chosen uniformly andindependently. Let e = Ex be µ linearly independent eavesdropped symbols.Then,
I (mI , e) = rank(HI) + rank(E)− rank(
HIE
)for any index subset I of m such that |I| ≤ B − µ.
A specific construction for H was given in [14] for PM-MBR codes. Furtherresults were recently presented at ITA 2017.
[16] D. Silva and F. R. Kschischang, “Universal secure network coding via rank-metric codes,” IEEE Trans. Inf. Theory, vol. 57, no. 2, pp.1124–1135, Feb. 2011.
Secure DSSs | E. Rosnes 41 / 45
Distributed storage systems (DSSs) Security References
How to pick the outer code?• We need a condition involving H ([16, Lem. 6]).
LemmaAssume an outer code defined by H and an exact regenerating code for theinner code. Suppose each message symbol mi is chosen uniformly andindependently. Let e = Ex be µ linearly independent eavesdropped symbols.Then,
I (mI , e) = rank(HI) + rank(E)− rank(
HIE
)for any index subset I of m such that |I| ≤ B − µ.
A specific construction for H was given in [14] for PM-MBR codes. Furtherresults were recently presented at ITA 2017.
[16] D. Silva and F. R. Kschischang, “Universal secure network coding via rank-metric codes,” IEEE Trans. Inf. Theory, vol. 57, no. 2, pp.1124–1135, Feb. 2011.
Secure DSSs | E. Rosnes 41 / 45
Distributed storage systems (DSSs) Security References
How to pick the outer code?• We need a condition involving H ([16, Lem. 6]).
LemmaAssume an outer code defined by H and an exact regenerating code for theinner code. Suppose each message symbol mi is chosen uniformly andindependently. Let e = Ex be µ linearly independent eavesdropped symbols.Then,
I (mI , e) = rank(HI) + rank(E)− rank(
HIE
)for any index subset I of m such that |I| ≤ B − µ.
A specific construction for H was given in [14] for PM-MBR codes. Furtherresults were recently presented at ITA 2017.
[16] D. Silva and F. R. Kschischang, “Universal secure network coding via rank-metric codes,” IEEE Trans. Inf. Theory, vol. 57, no. 2, pp.1124–1135, Feb. 2011.
Secure DSSs | E. Rosnes 41 / 45
Distributed storage systems (DSSs) Security References
Example: Security level b versus `
0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 50
2
4
6
8
10
12
14
16
18
20
Adversarial strength `
Secu
rity
level
b
PM-MBR code (n = 7, k = 5, d = 6, B = 20)
Secure DSSs | E. Rosnes 42 / 45
Distributed storage systems (DSSs) Security References
Example: Security level b versus `
0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 50
2
4
6
8
10
12
14
16
18
20
Adversarial strength `
Secu
rity
level
b
PM-MBR code (n = 7, k = 5, d = 6, B = 20)Secure PM-MBR code (n = 7, k = 5, d = 6, Bs = 9)
Secure DSSs | E. Rosnes 42 / 45
Distributed storage systems (DSSs) Security References
Example: Security level b versus `
0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 50
2
4
6
8
10
12
14
16
18
20
Adversarial strength `
Secu
rity
level
b
PM-MBR code (n = 7, k = 5, d = 6, B = 20)Secure PM-MBR code (n = 7, k = 5, d = 6, Bs = 9)Coset coding (n = 7, k = 5, d = 6, Bs = 18)
b = d + k − 3, ` = 1, Bs = B − 2 [14]
Secure DSSs | E. Rosnes 42 / 45
Distributed storage systems (DSSs) Security References
Take home message
Research into secure codes for distributed storage systems is an active andexciting research area.
Secure DSSs | E. Rosnes 43 / 45
Distributed storage systems (DSSs) Security References
ReferencesA. G. Dimakis, P. B. Godfrey, Y. Wu, M. J. Wainwright, and K. Ramchandran, “Network coding for distributed storage systems,” IEEETrans. Inf. Theory, vol. 56, no. 9, pp. 4539–4551, Sep. 2010.
S. Pawar, S. El Rouayheb, and K. Ramchandran, “Securing dynamic distributed storage systems against eavesdropping and adversarialattacks,” IEEE Trans. Inf. Theory, vol. 57, no. 10, pp. 6743–6753, Oct. 2011.
N. B. Shah, K. V. Rashmi, and P. V. Kumar, “Information-theoretically secure regenerating codes for distributed storage,” in Proc. GlobalTelecommun. Conf. (GLOBECOM), Houston, TX, Dec. 2011.
K. Huang, U. Parampalli, and M. Xian, “On secrecy capacity of minimum storage regenerating codes,” IEEE Trans. Inf. Theory, vol. 63, no.2, pp. 1510–1524, Mar. 2017.
R. Tandon, S. Amuru, T. C. Clancy, and R. M. Buehrer, “Towards optimal secure distributed storage systems with exact repair,” IEEE Trans.Inf. Theory, vol. 60, no. 6, pp. 3477–3492, Jun. 2016.
A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612–613, 1979.
R. Bitar and S. El Rouayheb, “Securing data against limited-knowledge adversaries in distributed storage systems,” in Proc. IEEE Int. Symp.Inf. Theory (ISIT), Hong Kong, China, Jun. 2015, pp. 2857–2851.
K. V. Rashmi, N. B. Shah, and P. V. Kumar, “Optimal exact-regenerating codes for distributed storage at the MSR and MBR points via aproduct-matrix construction,” IEEE Trans. Inf. Theory, vol. 57, no. 8, pp. 5227–5239, Aug. 2011.
A. S. Rawat, O. O. Koyluoglu, N. Silberstein, and S. Vishwanath, “Optimal locally repairable and secure codes for distributed storagesystems,” IEEE Trans. Inf. Theory, vol. 60, no. 1, pp. 212–236, Jan. 2014.
S. Goparaju, S. El Rouayheb, R. Calderbank, and H. Vincent Poor, “Data secrecy in distributed storage systems under exact repair,” in Proc.Int. Symp. Netw. Coding (NetCod), Calgary, Alberta, Canada, Jun. 2013.
Secure DSSs | E. Rosnes 44 / 45
Distributed storage systems (DSSs) Security References
References (cont.)
S. Kumar, E. Rosnes, A. Graell i Amat, ”Secure repairable Fountain codes,” IEEE Commun. Letters, vol. 20, no. 8, pp. 1491–1494, Aug. 2016.
S. H. Dau, W. Song, and C. Yuen, “On block security of regenerating codes at the MBR point for distributed storage systems,” in Proc IEEEInt. Symp. Inf. Theory (ISIT), Honolulu, HI, Jun./Jul. 2014, pp. 1967–1971.
K. Bhattad and K. R. Narayanan, “Weakly secure network coding,” in Proc. First Workshop on Network Coding, Theory, and Applications(NetCod), Riva del Garda, Italy, Apr. 2005.
S. Kadhe and A. Sprintson “Weakly secure regenerating codes for distributed storage,” in Proc. Int. Symp. Network Coding (NetCod),Aalborg, Denmark, Jun. 2014.
L. H. Ozarow and A. D. Wyner, “The wire-tap channel II,” Bell Syst. Tech. J., vol. 63, pp. 2135–2157, 1984.
D. Silva and F. R. Kschischang, “Universal secure network coding via rank-metric codes,” IEEE Trans. Inf. Theory, vol. 57, no. 2, pp.1124–1135, Feb. 2011.
Secure DSSs | E. Rosnes 45 / 45