The Existing Solution

A countermeasure against the mobile adversary is to periodically refresh the shares. More precisely, the shares are renewed at regular intervals of time so that the updated shares are completely independent of the old ones. At any point in time, i.e., between two share renewal phases, the mobile adversary is limited to corrupt t − 1 storage servers as described in Section 6.2.1.2. After the next share renewal phase, the updated shares are entirely independent from the old shares, meaning the attacker has to start over and corrupt the storage servers again. This process will always leave the adversary with no information about the outsourced data and confidentiality is therefore maintained. Share renewal is also referred to as proactive secret sharing, as introduced by Herzberg et al. in [62]. At a high level, storage servers distributedly compute some randomness values (also refereed to as subshares) and add them to the old shares to generate the updated shares. These subshares are computed by using the underlying Shamir’s secret sharing scheme.

To thwart an active adversary, verifiable secret sharing is used, where commitments to the coefficients of the polynomial used to compute the shares are broadcasted to all storage servers, and are used to detect deviations from the regular protocols. During the first share generation phase Share, commitments are used by the storage servers to check whether the data owner distributed consistent shares or not. During share renewal Renew, each storage server acts simultaneously as a receiver and a dealer of subshares. Commitments are used to check whether the subshares received are consistent with the outsourced document and, therefore, can be used to compute valid updated shares. In this way, integrity of the outsourced document is also preserved because valid shares reconstruct to the original document. Proactive secret sharing supports both Feldman’s and Pedersen’s commitment schemes used in verifiable secret sharing (see Section 2.1 for more details).

In the following, we present the proactive secret sharing protocol by Herzberg et al. [62] to periodically renew the shares of the outsourced data. It is presented in its verifiable version, where Pedersen’s commitment is used to cope against malicious storage servers sending invalid subshares during the protocol. Pedersen’s commitment scheme is unconditionally hiding. This means that, contrary to the computationally hiding Feldman’s commitment scheme, it does not allow an adversary to store the broadcasted commitments until the underlying mathematical problem (in Feldman’s case, the Discrete Logarithm Problem) becomes easily solvable due to cryptanalytic advances or the construction of a sufficiently large quantum computer. Thus, commitments computed using Pedersen’s scheme cannot be broken to retrieve the coefficients of the polynomial used to compute the shares and, thus, to retrieve the outsourced data.

In order to use a commitment scheme during Renew, it has to be in place also during Share and Reconstruct. Thus, in the following, we also show how Share and Reconstruct described in Section 2.1 are modified with Pedersen’s commitment

6.2 State of the Art Proactive Secret Sharing-Based Distributed Storage Systems

scheme.

Share chooses two large primes p, q, are randomly chosen, such that q|(p − 1). Then it takes as input a message m ∈ Fq to be outsourced to the long-term secure

storage system composed of storage servers S1, . . . , Sn, where i ∈ I is the unique

identifier ID of storage server Si by performing the following steps. Let g, h be

distinct generators of the q-th order subgroup Fq of F∗p and set Fq as both the

message space and the share space. The reconstructing threshold t is chosen so that

n ≥ 2t − 1, so that there is an honest majority among the storage servers making up

the long-term secure storage system. Polynomials f (x) = a0+a1x+· · ·+at−1xt−1and

ϕ(x) = b0+ b1x + · · · + bt−1xt−1are defined, where a0 := m and a1, . . . , at−1 ∈ Fq and

b0, b1, . . . , bt−1 ∈ Fq are chosen uniformly at random. In the following, b0 is denoted

as s to distinguish it from the other coefficients. The data owner computes share σi

for storage server Si as σi := (f (i), ϕ(i)), for i = 1, . . . , n. The data owner commits to

each coefficient pair (ak, bk) by computing ck:= gakhbk mod p, for k = 0, 1, . . . , t − 1.

It broadcasts the commitments and sends share σi to storage server Si through an

information-theoretically secure channel. Each storage server Si accepts σi as its

valid share if and only if

gf (i)hϕ(i) ≡ t−1 Y k=0 ci_kk = gmhs t−1 Y k=1 (gak_hbk₎ik_.

Renew takes as input a subset of t valid shares σ1, . . . , σt and outputs updated

shares σ_i0 for storage server Si, for i = 1, . . . , n. Each storage server Si performs the

following steps.

1. It select polynomials fi(x) = ai,0+ ai,1x + · · · + ai,t−1xt−1and ϕi(x) = bi,0+ bi,1x +

· · · + bi,t−1xt−1, where ai,0 = bi,0 = 0 and both coefficients ai,1, . . . , ai,t−1∈ Fq as

well as bi,1, . . . , bi,t−1 ∈ Fq are chosen uniformly at random.

2. It computes subshare σj,i := (fi(j), ϕi(j)) for storage server Sj with identity

j 6= i, and subshare σi,i := (fi(i), ϕi(i)).

3. It computes commitment ci,k to coefficients ai,k and bi,k as ci,k := gai,khbi,k, for

k = 0, 1, . . . , t − 1.

4. It sends subshare σj,i to storage server Sj through an information-theoretically

secure channel for j 6= i, keeps subshare σi,i private, and broadcasts the commit-

ments ci,0, ci,1, . . . , ci,t−1.

5. It receives subshare σi,j = (fj(i), ϕj(i)) and commitments cj,0, cj,1, . . . , cj,t−1

from storage server Sj, for j 6= i.

6. It accepts σi,j as a valid subshare if and only if

gfj(i)_hϕj(i) _≡ t−1 Y k=0 ci_kk = gmhs t−1 Y k=1 (gak_hbk₎ik_.

7. If all subshares are valid, then it computes its updated share σ_i0 as σ_i0 := (f (i) +Pn

j=1fj(i), ϕ(i) + Pnj=1ϕi(j)). Otherwise, it broadcasts a complaint

message against the sender(s) Sj of the invalid subshare σi,j and aborts the

protocol.

8. It deletes old share σi.

Reconstruct takes as input t valid shares σ1, σ2, . . . , σt to reconstruct polynomial

f (x) and polynomial ϕ(x) by using Lagrange interpolation. Message m is retrieved

as f (0) = m and value s is retrieved as ϕ(0) = s. Having access to the commitments originally broadcasted by the data owner, it is possible to check the validity of the reconstructed message m and value s by verifying that it is a correct opening value for commitment c0, i.e., gmhs ≡ c0.

The above proactive secret sharing scheme is a secret sharing scheme according to Definition 2.2 that provides the security guarantees of accessibility and perfect security formalized in Definition 2.1, equipped with an additional algorithm Renew run by the storage servers in distributed fashion that still satisfy the security properties of Definition 2.1. Note that, for simplicity, we have shown the above protocols for only a message chunk m of a larger message M to be outsourced. Thus, the sharing, renewing and reconstructing protocols have to be performed for each of chunk m that message M was divided into. We formalize this in Section 6.3.2 when presenting LSTee.