How to Store a Secret Salim El Rouayheb Illinois Institute of - - PowerPoint PPT Presentation

How to Store a Secret

Illinois Institute of Technology

Salim El Rouayheb

A Brief History of Codes for Storage According to Emina

1982 Reed Solomon paper (1960)

What if some nodes cannot be trusted?

(n,k)=(4,2)

user 1 user 4

Disk 1 Disk 2 Disk 3 Disk 4

. . .

K A+K A+2K A+3K K

Key

A

File

Adversary (passive for now) controls one node Secret Sharing [Shamir ’79] Wiretap channel II Coset Codes [Ozarow & Wyner ’84]

Eavesdropper

Wiretap Network

Multicast Network with Wiretapped Edges Coset Code Secret Shares

Secure network coding [Cai & Yeung ’02] [ElRouayheb, Soljanin ’07] [ElRouayheb, Sprintson, Soljanin ’10]

Main Message There: Separation is optimal Coset code + Network Code

New disk

Coset Codes/Secret Sharing are Not Enough

User

Disk 1 Disk 2 Disk 3 Disk 4 K A+K A+2K A+3K

K A+2K

All the data is leaked !

A+K

• Because storage systems

are dynamic

failure

• Can we still protect the

stored secret?

• Two surprising results

New disk

General Problem Formulation

User

Disk 1 Disk 2 Disk 3 Disk n

failure

• (n,k) system
• d: repair degree
• α: storage per node
• β: repair bandwidth
• b: nbr of compromised

nodes

• Adversary: passive/active

. . .

What is the largest secret I can store in this system without loosing it or revealing it?

Pawar, ¡ElRouayheb, ¡Ramchandran, ¡’10 ¡

k d

β β β

A Divide and Share Scheme

1 2 3 1 4 5 2 4 6 3 5 6 1 2 3 Rashmi, ¡Shah, ¡Kumar ¡& ¡Ramchandran ¡'09 ¡

User always sees all the 5 packets Eavesdropper always

• bserve 3 packets

(n,k,d)=(4,2,3)

Secure Code

1 2 3 1 4 5 2 4 6 3 5 6 1 2 3 4 5 6 X1+2X2+K1+K2+2K3

K1 K2 K3

X1+2K1+K2+K3 X2+K1+2K2+K3 Secret: X1 X2 X3

Random keys Coset Code

Secure Code in Bandwidth-Limited Regime and d<n-1

(n,k,d)=(7,3,4) Iwan’s Observation

Upper Bound on Secrecy Capacity

1 2 k n

dβ

(d − k +1)β

. ¡ . ¡ . ¡ . ¡ . ¡ . ¡ . ¡ . ¡ . ¡

n+1 n+2 n+l n+k

(d − k +1)β

n+l+1

(d −1)β

C(α,β) ≤ min{(d − i +1)β,

i=l+1 k

∑

α}

Pawar, ¡ElRouayheb, ¡Ramchandran, ¡’10 ¡

Previous codes achieve this upper bound for bandwidth-limited regime α≥dβ ¡

General Secure Codes

file Storage System

Coset Code

Regenerating Codes

Separation is Optimal for Bandwith- Limited Regime

Keys

Surprising result #1: Separation is NOT Optimal

a1 a2 b1 b2

2a1+b1

a2+b2

Replacement node

a1+b1

2a2+b2 a1+2a2+b1+b2

(n,k,d)= (4,2,3) α=1 β=1/2

0.5MB 0.5MB

a1 a2

0.5MB

n1 n2 n3 n4

New node

Secret Size=1/2MB

β=1/3 It may be better not to use all your budgeted bandwidth or storage!

Tandon ¡et ¡al. ¡’10 ¡ Falling back to bandwidth-limited regime codes is always

• ptimal for (n,n-1,n-1) systems

Secret Size=2/3MB

Finding the Optimal Inner Code is not trivial

0.2 0.25 0.3 0.35 0.4 0.45 0.5 0.55 0.6 0.65 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 normalised storage per node α/M normalised bandwidth β/M

(n,k,d)=(7,6,6) Achievable non- secure tradeoff secure regenerating codes MDS Divide & Share

Goparaju, ¡ElRouayheb, ¡ Calderbank, ¡’ISIT10 ¡

What is the best we can do with a Separation Scheme

Black Box (cannot touch)

• Simpler design if we want different files with

different security requirements

• Cloud user: does not have control over the code

Theorem: [Goparaju, R., Calderbank, Poor Netcod ’13]

C∗

s = (k − b)

✓ 1 − 1 n − k ◆b α

Surprising result #2

Proof based on Geometry of Repair Spaces

2 3 4 5 1

user 1’ 5’

α

α

Theorem: [Goparaju, R., Calderbank, Poor Netcod ’13]

dim(Si1 + Si2 + · · · + Sib) ≥ α 2 + α 22 + · · · + α 2b

(n,k)=(5,3) b=2 compromised nodes

Data observed by Eve = Data stored on nodes 1’ and 2’ + Data downloaded from node 2

bα

dim(S1 + S2)

Secure (linear) capacity= kα – amount observed by Eve

C∗

s ≤ (k − b) α

2b

α/2 α/4 α/8 S1 S1+S2 S1+S2+S3

A Taste of the Proof…

2 3 4 5 1

1’

α

α

S3 Sk+1 Sk+2

f1 f2 f3 p1 p2

p1 =

k

X

i=1

Aifi, p2 =

k

X

i=1

Bifi

File:(f1, . . . , fk) fi = (fi1, . . . , fiα)

• Node 1’ downloads:

S2f2 S3f3

Skfk

= Sk+1A1f1 + Sk+1A2f2 + · · · + Sk+1Akfk = Sk+2B1f1 + Sk+2B2f2 + · · · + Sk+2Bkfk

Sk+1A1 + Sk+2B1 = Fn

q S2 = Sk+1A2 = Sk+2B2 Sk = Sk+2Ak = Sk+1Bk

• Analogy to interference alignment
• Write these subspace conditions for all failures
• Use them to proof theorem by induction

Open Problems

0.2 0.25 0.3 0.35 0.4 0.45 0.5 0.55 0.6 0.65 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 normalised storage per node α/M normalised bandwidth β/M

secure regenerating codes

• 1. Storage limited Regime?
• 2. Storage/Repair Bandwidth tradeoff

to store a secret of a given size

• 3. Active adversary (omniscient,

Limited knowledge,…)

• 4. Linear/vs non-linear?
• 5. Can shared randomness help?

we know what to do here

QUESTIONS?