distributed storage systems (dsss) security references distributed storage using erasure correcting...

Secure Distributed Storage Systems

Eirik Rosnes

Simula@UiB, N-5020 Bergen, Norway

Institut Mittag-LefflerMay 16, 2017

Distributed storage systems (DSSs) Security References

Outline

1. Distributed storage systems (DSSs)MotivationErasure correcting codesRegenerating codes

2. SecurityIntroductionSecurity modelsOverview of some secure codesBlock/weak security

Secure DSSs | E. Rosnes 1 / 45

Acknowledgment

Alexandre Graell i AmatProfessor at Chalmers

Siddhartha KumarPhD student (UoB)

Motivation

• The amount of digital data generated grows 40% per year.

• 40 ZB (1 ZB= 1021 bytes) of data will be generated yearly by 2020.(1.8 ZB was generated in 2011.)

Need to store, process, and deliver massive amounts of data.

• Inexpensively

• Reliably

Motivation

• The amount of digital data generated grows 40% per year.

• 40 ZB (1 ZB= 1021 bytes) of data will be generated yearly by 2020.(1.8 ZB was generated in 2011.)

• Inexpensively

• Reliably

Motivation

• The amount of digital data generated grows 40% per year.• 40 ZB (1 ZB= 1021 bytes) of data will be generated yearly by 2020.

(1.8 ZB was generated in 2011.)

• Inexpensively

• Reliably

Motivation

• Inexpensively

• Reliably

Motivation

• Inexpensively

• Reliably

Motivation

Need to store, process, and deliver massive amounts of data.• Inexpensively

• Reliably

Motivation

Need to store, process, and deliver massive amounts of data.• Inexpensively• Reliably

Motivation

Need to store, process, and deliver massive amounts of data.• Inexpensively• Reliably

Motivation

2005 2009 2013 20200

Motivation

2005 2009 2013 20200

Data storage in the old times

In the old times...• Single pieces of very reliable hardware

→ very expensive!

Data storage in the old times

In the old times...• Single pieces of very reliable hardware → very expensive!

Distributed storage

Distributed storage• Data is stored across multiple interconnected inexpensive storage units in a

distributed fashion.

• Individual storage units (storage nodes) are unreliable, but reliability isprovided globally.

Distributed storage

Distributed storage• Data is stored across multiple interconnected inexpensive storage units in a

distributed fashion.• Individual storage units (storage nodes) are unreliable, but reliability is

provided globally.

Distributed storage

• Individual storage nodes are prone to failures → need to provide resilienceto node failures (fault tolerance).

• Basic approach: Replication.• Data is stored in a distributed fashion across three storage nodes.• Individual nodes are unreliable, but the system provides reliability globally.

Distributed storage

• Basic approach: Replication.

• Data is stored in a distributed fashion across three storage nodes.• Individual nodes are unreliable, but the system provides reliability globally.

Distributed storage

• Basic approach: Replication.• Data is stored in a distributed fashion across three storage nodes.

• Individual nodes are unreliable, but the system provides reliability globally.

Distributed storage

ReplicationReplication: Replicate the data n times

• Simple, but...

high storage overhead → very costly in terms of hardware,real-state, maintenance (cooling)...

• Need to reduce the storage overhead!

Can we do better?

• Simple, but... high storage overhead

→ very costly in terms of hardware,real-state, maintenance (cooling)...

Can we do better?

• Simple, but... high storage overhead → very costly in terms of hardware,real-state, maintenance (cooling)...

Can we do better?

Can we do better?Secure DSSs | E. Rosnes 8 / 45

Distributed storage using erasure correcting codes

(n, k) erasure correcting codeTransforms a sequence of k symbols into a sequence of n > k symbols, addingn − k symbols of redundancy.

The n − k extra symbols help in recovering theoriginal data in case some of the n symbols are lost (erased).

... ...k data symbols n − k parity symbols

k data nodes n − k parity nodes

(n, k) erasure correcting codeTransforms a sequence of k symbols into a sequence of n > k symbols, addingn − k symbols of redundancy. The n − k extra symbols help in recovering theoriginal data in case some of the n symbols are lost (erased).

k data symbols

n − k parity symbols

... ...

k data symbols n − k parity symbols

Example: (9, 7) maximum distance separable (MDS) code. t = 2

• A piece of data is divided into k = 7 symbols,

and encoded into n = 9symbols. (We add n − k = 2 symbols of redundancy.)

• 7 nodes store the plain data,

2 nodes store redundancy.

• The data can be retrieved from any subset of 7 storage nodes.• Storage overhead n/k = 1.28 (n/k = 3 for 3-replication).

Example: (9, 7) maximum distance separable (MDS) code. t = 2• A piece of data is divided into k = 7 symbols,

and encoded into n = 9symbols. (We add n − k = 2 symbols of redundancy.)

Example: (9, 7) maximum distance separable (MDS) code. t = 2• A piece of data is divided into k = 7 symbols, and encoded into n = 9

symbols. (We add n − k = 2 symbols of redundancy.)

symbols. (We add n − k = 2 symbols of redundancy.)• 7 nodes store the plain data,

2 nodes store redundancy.• The data can be retrieved from any subset of 7 storage nodes.• Storage overhead n/k = 1.28 (n/k = 3 for 3-replication).

symbols. (We add n − k = 2 symbols of redundancy.)• 7 nodes store the plain data, 2 nodes store redundancy.

symbols. (We add n − k = 2 symbols of redundancy.)• 7 nodes store the plain data, 2 nodes store redundancy.• The data can be retrieved from any subset of 7 storage nodes.

• Storage overhead n/k = 1.28 (n/k = 3 for 3-replication).

symbols. (We add n − k = 2 symbols of redundancy.)• 7 nodes store the plain data, 2 nodes store redundancy.• The data can be retrieved from any subset of 7 storage nodes.• Storage overhead n/k = 1.28 (n/k = 3 for 3-replication).

Distributed storage

Distributed storage systems come in many flavors:

• Data centers,

cloud storage networks, and P2P storage/backup systems

• Google File System, Facebook’s Hadoop distributed file system, andMicrosoft’s Windows Azure cloud system.

• Wireless distributed storage for content delivery.

Distributed storage

Distributed storage systems come in many flavors:• Data centers,

cloud storage networks, and P2P storage/backup systems

Distributed storage

Distributed storage systems come in many flavors:• Data centers, cloud storage networks,

and P2P storage/backup systems

Distributed storage

Distributed storage systems come in many flavors:• Data centers, cloud storage networks, and P2P storage/backup systems.

Distributed storage

Distributed storage systems come in many flavors:• Data centers, cloud storage networks, and P2P storage/backup systems.• Google File System, Facebook’s Hadoop distributed file system, and

Microsoft’s Windows Azure cloud system.

Distributed storage

Distributed storage systems come in many flavors:• Data centers, cloud storage networks, and P2P storage/backup systems.• Google File System, Facebook’s Hadoop distributed file system, and

Microsoft’s Windows Azure cloud system.• Wireless distributed storage for content delivery.

Regenerating codes [1]

• Purpose: Efficient repair (in terms of repair bandwidth) of failed nodes.• Notation:

• A file of size B symbols from Fq is stored on n nodes.• The k-out-of-n property should hold.• Each node stores α symbols from Fq.• For the repair of a single node, k ≤ d ≤ n − 1 nodes are contacted.• From each of the d nodes, β symbols are downloaded.

• Then,

B ≤k−1∑i=0

min(α, (d − i)β)

[1] A. G. Dimakis, P. B. Godfrey, Y. Wu, M. J. Wainwright, and K. Ramchandran, “Network coding for distributed storage systems,” IEEE Trans. Inf.Theory, vol. 56, no. 9, pp. 4539–4551, Sep. 2010.

• Then,

B ≤k−1∑i=0

• Then,

B ≤k−1∑i=0

• Then,

B ≤k−1∑i=0

• Then,

B ≤k−1∑i=0

• Then,

B ≤k−1∑i=0

• Then,

B ≤k−1∑i=0

Tradeoff curves• We get (l = 0, . . . , k − 1)

γ , dβ = Bk − 1

2d (k(k − 1) + (l + 1)l), α = γ − γl/d

0.14 0.16 0.18 0.2 0.22 0.24 0.26 0.280.1

• n = 15, k = 10, and d = n − 1.Secure DSSs | E. Rosnes 13 / 45

The boundary points• There are two boundary points:

• The minimal storage regeneration (MSR) point:

α = Bk and dβ = α+ (k − 1)β.

• The minimal bandwidth regeneration (MBR) point:

α = Bk + (k − 1)β

2 and dβ = α.

• Functional repair: The regenerated data is not the same as that lost, butprovides equivalent redundancy.

• Exact repair: The regenerated data is bitwise identical to what was lost(more practical).

α = Bk and dβ = α+ (k − 1)β.

α = Bk + (k − 1)β

2 and dβ = α.

α = Bk and dβ = α+ (k − 1)β.

α = Bk + (k − 1)β

2 and dβ = α.

α = Bk and dβ = α+ (k − 1)β.

α = Bk + (k − 1)β

2 and dβ = α.

What about security?

TypesTwo ways to look at it:

• Security against passive attacks.• Security against active attacks.

Solution• Cryptographic approach:

Easy to implement.Complex key management.

• Information-theoretic approach.

Security against passive attacks: An intuition

m1 m2 m1 + m2 m1 + 2m2m1 + r r m1 + 2r m1 + 3r

Objective (strong secrecy)To achieve I (m; e) = 0.

The main principle is to append random data to the file. This achieves securityat the expense of a higher storage overhead!!!

m1 m2 m1 + m2 m1 + 2m2

m1 + r r m1 + 2r m1 + 3r

m1 m2 m1 + m2 m1 + 2m2

m1 + r r m1 + 2r m1 + 3r

m1 m2 m1 + m2 m1 + 2m2

m1 + r r m1 + 2r m1 + 3r

m1 m2 m1 + m2 m1 + 2m2

m1 + r r m1 + 2r m1 + 3r

m1 m2 m1 + m2 m1 + 2m2

m1 + r r m1 + 2r m1 + 3r

m1 m2 m1 + m2 m1 + 2m2

m1 + r r m1 + 2r m1 + 3r

Security models

• Assume there is an intruder in the DSS.• Its power is given by two parameters ` and b [2]:

• `: number of nodes the intruder can eavesdrop on.• b: number of nodes it can control by maliciously corrupting their data.

• The intruder can be:• A passive eavesdropper “Eve” (b = 0 and ` < k).• An active omniscient adversary “Calvin”.• An active limited-knowledge adversary “Charlie”.

• The data collector and the intruder have complete knowledge of thestorage and the repair scheme.

[2] S. Pawar, S. El Rouayheb, and K. Ramchandran, “Securing dynamic distributed storage systems against eavesdropping and adversarial attacks,”IEEE Trans. Inf. Theory, vol. 57, no. 10, pp. 6743–6753, Oct. 2011.

Security models

Generalized passive eavesdropper model(`1, `2) passive eavesdropper model [3]

• Eavesdropper observes the symbols stored on `1 nodes.• Eavesdropper observes the symbols downloaded during the repair of `2

additional nodes.

c1 c2 c3 c4

c1 c2 c4

m1 m2 m3 m4

[3] N. B. Shah, K. V. Rashmi, and P. V. Kumar, “Information-theoretically secure regenerating codes for distributed storage,” in Proc. GlobalTelecommun. Conf. (GLOBECOM), Houston, TX, Dec. 2011.

additional nodes.

c1 c2 c3 c4

c1 c2 c4

m1 m2 m3 m4

additional nodes.

c1 c2 c3 c4c1

m1 m2 m3 m4

additional nodes.

c1 c2 c3 c4c1

m1 m2 m3 m4m1

additional nodes.

c1 c2 c3 c4c1 c2

m1 m2 m3 m4m1

additional nodes.

c1 c2 c3 c4c1 c2 c4

m1 m2m2 m3 m4m4m1

c5c5 c6

Tradeoff curve• Under the (`1, `2) passive eavesdropper model [2]

Bs ≤k−1∑

i=`1+`2

min(α, (d − i)β).

• Intuition:• Assume the first `1 + `2 of the k nodes used for reconstruction are

compromised.• The data stored in these `1 + `2 nodes should provide zero information

about the message, and only the remaining k − (`1 + `2) nodes provideuseful information to the data-collector.

• MBR point: The upper bound is known to be tight under exact repair [3].• MSR point: A tight bound under exact repair is still open for `2 > 0 [4, 5].

[4] K. Huang, U. Parampalli, and M. Xian, “On secrecy capacity of minimum storage regenerating codes,” IEEE Trans. Inf. Theory, vol. 63, no. 2,pp. 1510–1524, Mar. 2017.[5] R. Tandon, S. Amuru, T. C. Clancy, and R. M. Buehrer, “Towards optimal secure distributed storage systems with exact repair,” IEEE Trans. Inf.Theory, vol. 60, no. 6, pp. 3477–3492, Jun. 2016.

Bs ≤k−1∑

i=`1+`2

Bs ≤k−1∑

i=`1+`2

Bs ≤k−1∑

i=`1+`2

Bs ≤k−1∑

i=`1+`2

Tradeoff curve• We get (l = `, . . . , k − 1 where ` = `1 + `2)

γ , dβ = Bs

k − `− 12d (k(k − 1) + (l − 2`+ 1)l)

, α = γ − γl/d

0.1 0.12 0.14 0.16 0.18 0.2 0.22 0.24 0.26 0.28 0.3 0.32 0.340.1

γ , dβ = Bs

k − `− 12d (k(k − 1) + (l − 2`+ 1)l)

, α = γ − γl/d

0.1 0.12 0.14 0.16 0.18 0.2 0.22 0.24 0.26 0.28 0.3 0.32 0.340.1

` = 0` = 1

γ , dβ = Bs

k − `− 12d (k(k − 1) + (l − 2`+ 1)l)

, α = γ − γl/d

0.1 0.12 0.14 0.16 0.18 0.2 0.22 0.24 0.26 0.28 0.3 0.32 0.340.1

` = 0` = 1` = 2

Shamir’s secret sharing scheme [6]

• A random polynomial of degree k − 1 in which the constant coefficient isequal to the secret is selected.

• The polynomial is evaluated at n points (the n shares)• Properties:

• The secret can be recovered from any k shares,• while ≤ k − 1 shares provide zero information about the secret.

• Repair: k shares are need for polynomial interpolation.• The repair operations are inefficient!!!

[6] A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612–613, 1979.

Active omniscient adversary

• The active adversary Calvin knows the data stored on all the nodes (andthus the file).

• Moreover, Calvin controls b nodes in total, where 2b < k.• Calvin can maliciously alter the data stored on the nodes under his control.• He can also send erroneous outgoing messages when contacted for repair

or reconstruction.

What is the maximum file size such that the data collector can reliable retrievethe file?

or reconstruction.

Active limited-knowledge adversary

• The active adversary Charlie is not omniscient, but has limited knowledgeabout the data stored in the system.

• In particular, he has a limited eavesdropping capability `.• In addition, Charlie controls b chosen nodes and maliciously corrupts their

data.• We assume that b ≤ ` and that these b nodes are a subset of the `

eavesdropped nodes.

Upper bounds on the resiliency capacity [2]• For an active omniscient adversary (` = k, 2b < k)

Cr ≤k−1∑i=2b

min (α, (d − i)β) .

• For an active limited-knowledge adversary (`, b ≤ `)

Cr ≤k−1∑i=b

min (α, (d − i)β) .

• It is known that the upper bounds are tight in the so-calledbandwidth-limited regime [2].

• Explicit code constructions for this regime were given in [7] usingPM-MBR codes [8] and a correlation hashing scheme.

[7] R. Bitar and S. El Rouayheb, “Securing data against limited-knowledge adversaries in distributed storage systems,” in Proc. IEEE Int. Symp. Inf.Theory (ISIT), Hong Kong, China, Jun. 2015, pp. 2857–2851.[8] K. V. Rashmi, N. B. Shah, and P. V. Kumar, “Optimal exact-regenerating codes for distributed storage at the MSR and MBR points via aproduct-matrix construction,” IEEE Trans. Inf. Theory, vol. 57, no. 8, pp. 5227–5239, Aug. 2011.

Cr ≤k−1∑i=2b

min (α, (d − i)β) .

Cr ≤k−1∑i=b

min (α, (d − i)β) .

Cr ≤k−1∑i=2b

min (α, (d − i)β) .

Cr ≤k−1∑i=b

min (α, (d − i)β) .

Cr ≤k−1∑i=2b

min (α, (d − i)β) .

Cr ≤k−1∑i=b

min (α, (d − i)β) .

Secure codes in the literature

• Secure MBR codes (Pawar et al. [2]).• Secure PM-MBR and PM-MSR codes (Shah et al. [3]).

• MBR: The secure file size achieves the upper bound for all (n, k, d) for all(`1, `2).

• MSR: The upper bound is only achieved for `2 = 0 and can be tightened[9, 10].

• Secure MSR codes and secure LRCs (Rawat et al. [9]).

[9] A. S. Rawat, O. O. Koyluoglu, N. Silberstein, and S. Vishwanath, “Optimal locally repairable and secure codes for distributed storage systems,“IEEE Trans. Inf. Theory, vol. 60, no. 1, pp. 212–236, Jan. 2014.[10] S. Goparaju, S. El Rouayheb, R. Calderbank, and H. Vincent Poor, “Data secrecy in distributed storage systems under exact repair,” in Proc. Int.Symp. Netw. Coding (NetCod), Calgary, Alberta, Canada, Jun. 2013.

The approach of [3]

• To construct a secure code for a given (n, k, d), a PM-MBR code with thesame parameters are selected.

• Replace a specific, carefully chosen set of B − Bs message symbols withrandom symbols chosen uniformly and independently from Fq.

• The reconstruction process and repair in the secure code can be carriedout in the same way as in the original code.

• Security proof relies on:

H (e) ≤ H (r) and H (r |m, e) = 0 =⇒ I (m; e) = 0.

• Secure PM-MBR and PM-MSR codes are constructed in this way.

The approach of [3]

H (e) ≤ H (r) and H (r |m, e) = 0 =⇒ I (m; e) = 0.

The approach of [3]

H (e) ≤ H (r) and H (r |m, e) = 0 =⇒ I (m; e) = 0.

The approach of [3]

H (e) ≤ H (r) and H (r |m, e) = 0 =⇒ I (m; e) = 0.

The approach of [3]

H (e) ≤ H (r) and H (r |m, e) = 0 =⇒ I (m; e) = 0.

PM-MBR codes• Set β = 1, which implies that α = d at the MBR point.• Encoding matrix: Ψn×d =

[Φn×k ∆n×(d−k)

• Message matrix:

M d×d =(

Sk×k Tk×(d−k)TT

(d−k)×k 0(d−k)×(d−k)

• Requirements:• Any k rows of Φn×k are linearly independent.• Any d rows of ∆n×(d−k) are linearly independent.

• We can pick Ψn×d as a Vandermonde or Cauchy matrix.• For security:

• When the encoding matrix is restricted to the first ` columns, any ` rowsare linearly independent.

• Replace the message symbols in the first ` rows of the symmetric matrix Mby random symbols.

• Message matrix:

M d×d =(

Sk×k Tk×(d−k)TT

(d−k)×k 0(d−k)×(d−k)

• Message matrix:

M d×d =(

Sk×k Tk×(d−k)TT

(d−k)×k 0(d−k)×(d−k)

• Message matrix:

M d×d =(

Sk×k Tk×(d−k)TT

(d−k)×k 0(d−k)×(d−k)

• Message matrix:

M d×d =(

Sk×k Tk×(d−k)TT

(d−k)×k 0(d−k)×(d−k)

• Message matrix:

M d×d =(

Sk×k Tk×(d−k)TT

(d−k)×k 0(d−k)×(d−k)

• Message matrix:

M d×d =(

Sk×k Tk×(d−k)TT

(d−k)×k 0(d−k)×(d−k)

PM-MBR codes: Example• Let n = 6, k = 3, and d = 4. With β = 1, we get B = 9 and

M d×d =

u1 u2 u3 u7u2 u4 u5 u8u3 u5 u6 u9u7 u8 u9 0

• With ` = 1, we get

M d×d =

r1 r2 r3 r7r2 u4 u5 u8r3 u5 u6 u9r7 u8 u9 0

• Thus, Bs = 9− 4 = 5 (4 random symbols are used).• A similar approach works for PM-MSR codes.

M d×d =

PM-MBR codes: Example

r1 + r2 + r3 + r7

r2 + u4 + u5 + u8

r3 + u5 + u6 + u9

r7 + u8 + u9

r1 + 3r2 + 9r3 + r7

r2 + 3u4 + 9u5 + u8

r3 + 3u5 + 9u6 + u9

r7 + 3u8 + 9u9

r1 + 5r2 + 12r3 + 8r7

r2 + 5u4 + 12u5 + 8u8

r3 + 5u5 + 12u6 + 8u9

r7 + 5u8 + 12u9

r1 + 7r2 + 10r3 + 5r7

r2 + 7u4 + 10u5 + 5u8

r3 + 7u5 + 10u6 + 5u9

r7 + 7u8 + 10u9

r1 + 9r2 + 3r3 + r7

r2 + 9u4 + 3u5 + u8

r3 + 9u5 + 3u6 + u9

r7 + 9u8 + 3u9

r1 + 11r2 + 4r3 + 5r7

r2 + 11u4 + 4u5 + 5u8

r3 + 11u5 + 4u6 + 5u9

r7 + 11u8 + 4u98×

12×5×1×

Σ Σ Σ Σ

• Vandermonde encoding matrix over F13.• The system is secure for ` = 1.• Repair follows the repair scheme of PM-MBR codes.

r1 + r2 + r3 + r7

r2 + u4 + u5 + u8

r3 + u5 + u6 + u9

r7 + u8 + u9

r1 + 3r2 + 9r3 + r7

r2 + 3u4 + 9u5 + u8

r3 + 3u5 + 9u6 + u9

r7 + 3u8 + 9u9

r1 + 5r2 + 12r3 + 8r7

r2 + 5u4 + 12u5 + 8u8

r3 + 5u5 + 12u6 + 8u9

r7 + 5u8 + 12u9

r1 + 7r2 + 10r3 + 5r7

r2 + 7u4 + 10u5 + 5u8

r3 + 7u5 + 10u6 + 5u9

r7 + 7u8 + 10u9

r1 + 9r2 + 3r3 + r7

r2 + 9u4 + 3u5 + u8

r3 + 9u5 + 3u6 + u9

r7 + 9u8 + 3u9

r1 + 11r2 + 4r3 + 5r7

r2 + 11u4 + 4u5 + 5u8

r3 + 11u5 + 4u6 + 5u9

r7 + 11u8 + 4u98×

12×5×1×

Σ Σ Σ Σ

r1 + r2 + r3 + r7

r2 + u4 + u5 + u8

r3 + u5 + u6 + u9

r7 + u8 + u9

r1 + 3r2 + 9r3 + r7

r2 + 3u4 + 9u5 + u8

r3 + 3u5 + 9u6 + u9

r7 + 3u8 + 9u9

r1 + 5r2 + 12r3 + 8r7

r2 + 5u4 + 12u5 + 8u8

r3 + 5u5 + 12u6 + 8u9

r7 + 5u8 + 12u9

r1 + 7r2 + 10r3 + 5r7

r2 + 7u4 + 10u5 + 5u8

r3 + 7u5 + 10u6 + 5u9

r7 + 7u8 + 10u9

r1 + 9r2 + 3r3 + r7

r2 + 9u4 + 3u5 + u8

r3 + 9u5 + 3u6 + u9

r7 + 9u8 + 3u9

r1 + 11r2 + 4r3 + 5r7

r2 + 11u4 + 4u5 + 5u8

r3 + 11u5 + 4u6 + 5u9

r7 + 11u8 + 4u98×

12×5×1×

Σ Σ Σ Σ

r1 + r2 + r3 + r7

r2 + u4 + u5 + u8

r3 + u5 + u6 + u9

r7 + u8 + u9

r1 + 3r2 + 9r3 + r7

r2 + 3u4 + 9u5 + u8

r3 + 3u5 + 9u6 + u9

r7 + 3u8 + 9u9

r1 + 5r2 + 12r3 + 8r7

r2 + 5u4 + 12u5 + 8u8

r3 + 5u5 + 12u6 + 8u9

r7 + 5u8 + 12u9

r1 + 7r2 + 10r3 + 5r7

r2 + 7u4 + 10u5 + 5u8

r3 + 7u5 + 10u6 + 5u9

r7 + 7u8 + 10u9

r1 + 9r2 + 3r3 + r7

r2 + 9u4 + 3u5 + u8

r3 + 9u5 + 3u6 + u9

r7 + 9u8 + 3u9

r1 + 11r2 + 4r3 + 5r7

r2 + 11u4 + 4u5 + 5u8

r3 + 11u5 + 4u6 + 5u9

r7 + 11u8 + 4u98×

12×5×1×

Σ Σ Σ Σ

r1 + r2 + r3 + r7

r2 + u4 + u5 + u8

r3 + u5 + u6 + u9

r7 + u8 + u9

r1 + 3r2 + 9r3 + r7

r2 + 3u4 + 9u5 + u8

r3 + 3u5 + 9u6 + u9

r7 + 3u8 + 9u9

r1 + 5r2 + 12r3 + 8r7

r2 + 5u4 + 12u5 + 8u8

r3 + 5u5 + 12u6 + 8u9

r7 + 5u8 + 12u9

r1 + 7r2 + 10r3 + 5r7

r2 + 7u4 + 10u5 + 5u8

r3 + 7u5 + 10u6 + 5u9

r7 + 7u8 + 10u9

r1 + 9r2 + 3r3 + r7

r2 + 9u4 + 3u5 + u8

r3 + 9u5 + 3u6 + u9

r7 + 9u8 + 3u9

r1 + 11r2 + 4r3 + 5r7

r2 + 11u4 + 4u5 + 5u8

r3 + 11u5 + 4u6 + 5u9

r7 + 11u8 + 4u98×

12×5×1×

Σ Σ Σ Σ

Code construction from [9, 11]

m̃ = (m, r) (k̃, k̃)Gabidulin encoding

(n, k̃)Storage code

c = (c1, c2, . . . , cn)

CharacteristicsZero information leakage.Has repair cost same the (n, k̃) storage code.High complexity.Code rate (k/n) less than the design code rate (k̃/n).

[11] S. Kumar, E. Rosnes, A. Graell i Amat, ”Secure repairable Fountain codes,” IEEE Commun. Letters, vol. 20, no. 8, pp. 1491–1494, Aug. 2016.

c = (c1, c2, . . . , cn)

(n, k) Gabidulin codes

EncodingEncoding of message m = (m1, . . . ,mk) ∈ Fk

qp is as follows:

1. Construct a linear polynomial: f (y) =∑k

i=1 miyqi−1 .2. Evaluate the polynomial at n points to obtain the codeword

c = (c1, . . . , cn) = (f (y1), f (y2), . . . , f (yn)) ∈ Fnqp .

DecodingThe message m is obtained from c as follows:

1. Obtain k code symbols.2. Perform polynomial interpolation to get m.

qp is as follows:

(n, k) Repairable fountain code

EncodingGiven m = (m1, . . . ,mk) ∈ Fk

qp , n − k parity symbols are constructed asfollows:

1. Select ξ = O(log k) message symbols with replacement.2. For each of these message symbols, uniformly select a coefficient from Fq.3. Parity symbol is formed from a weighted linear combination of selected

message and corresponding coefficients.

Properties1. Locality of ξ.2. Parallel reads.

Achieving security constraint: I (m; e) = 0

Rawat et al. [9] and othersH (e) ≤ H (r) and H (r |m, e) = 0 =⇒ I (m; e) = 0.

In [11]H (r |m, e) = H (r)−H (e)⇔ I (m; e) = 0.

The necessary condition is required since unlike traditional LRCs, which havedisjoint local repair groups, RFCs may also have overlapping repair groups.

In [11]H (r |m, e) = H (r)−H (e)⇔ I (m; e) = 0.

Issues with perfect secrecy

• Perfect secrecy is obtained at the cost of lowering the storage capacity.• One has to specify beforehand the strength of the adversary.• When the strength of the adversary is exceeded, nothing is guaranteed on

the security of the system.• Perfect secrecy is either too strict and might not be even necessary, or too

costly and might not be affordable.

Weaker security levels at lower costs are needed!!!

Block security [12]• The concept of block security (or security against guessing) is taken from

the network coding literature [13].

Block securityA code is b-block secure against an adversary of strength `, if the adversary,which accesses at most ` storage nodes, gains no information about any groupof b data symbols.

• Examples:• 1-block security (weak security) implies that no individual data symbol is

revealed.• 2-block security implies that no information on any group of two data

symbols is revealed.• B-block security (B is the file size) implies perfect security.

[12] S. H. Dau, W. Song, and C. Yuen, “On block security of regenerating codes at the MBR point for distributed storage systems,” in Proc IEEE Int.Symp. Inf. Theory (ISIT), Honolulu, HI, Jun./Jul. 2014, pp. 1967–1971.[13] K. Bhattad and K. R. Narayanan, “Weakly secure network coding,” in Proc. First Workshop on Network Coding, Theory, and Applications(NetCod), Riva del Garda, Italy, Apr. 2005.

Block securityLemma [12]A code is b-block secure iff no linear combination of at most b data symbolscan be deduced by the adversary, assuming

• the data symbols are all independent and identically uniformly distributedrandom variables over Fq, and

• the coding scheme is linear.

x1 x1 + x2 x1 + x2 + x3 x1 + r