Framework

Social secret sharing, introduced in Section 2.3, is used when data owners want to outsource their data in distributed fashion so that the storage servers involved are granted with reconstruction capabilities that mirror their performances. More precisely, distributed storage systems are composed of storage servers from different commercial storage service providers whose performance might change over time. The performance of each storage server is expressed by an aggregate performance score which determines the weight of a storage server with respect to the reconstruction of the data. This weight determines how informative the share distributed is. In addition, the performance of the selected storage servers is monitored such that the reconstruction power of each storage server can be adapted accordingly. In the following, we define adaptive social secret sharing schemes as social secret sharing schemes that in addition of algorithms Share, Tune, and Reconstruct of social secret sharing schemes (see Definition 2.9) allow to perform algorithm Reset of dynamic secret sharing schemes of Definition 3.1. That is, an adaptive social secret sharing scheme is composed of algorithms that fulfill the security properties of accessibility and perfect security formalized in Definition 2.1. Adaptive social secret sharing is the primitive based on which we construct our solution AS3 _{for distributed storage}

systems. We also formalize the setup on which such solution is instantiated and determine the requirements that distributed storage systems have to fulfill in order

4.1 Adaptive Social Secret Sharing for Distributed Storage Systems

to be viable solutions for long-term storage of data.

Definition 4.1. For a message space M, a space of shares Σ, a set of shareholders

S = {s1, . . . , sn} where i ∈ I is the unique ID of shareholder si ∈ S, and an access

structure Γ ⊂ P(S), an adaptive social secret sharing scheme is a social secret sharing scheme according to Definition 2.9 with an additional PPT algorithm Reset run by an authorized set of shareholders that also satisfies the security properties of Definition 2.1. More precisely, an adaptive social secret sharing scheme is a tuple of PPT algorithms Share, Tune, Reset, and Reconstruct defined as follows.

Share takes as input a message m ∈ M and a vector of weights w1, . . . , wn ∈ [0, 1],

where Pn

i=1wi = 1. It outputs n shares σ1, . . . , σn∈ Σ, where share σi is to be sent

to shareholder si ∈ S and whose reconstruction capability matches weight wi, for

i = 1, . . . , n.

Tune takes as input aggregate performance scores τ1, . . . , τn ∈ [0, 1] for, respectively,

shareholders s1, . . . , sn computed by a performance scoring mechanism. It outputs

weights w1, . . . , wn for shareholders s1, . . . , sn.

Reset takes as input a set of shares σ1, . . . , σr held by a subset R ⊂ S of share-

holders, a vector of weights w1, . . . , wn for shareholders s1, . . . , sn, a new set of

shareholders S0 = {s0₁, . . . , s0_n0} (where S0 needs not be disjoint from S and n0 needs

not to be different from n) with a vector of bootstrapped weights w0₁, . . . , w0_n, and an access structure Γ0 ⊂ P(S0_{). If R is unauthorized, i.e. R /∈ Γ, it outputs ⊥.}

Otherwise, R ∈ Γ and without message reconstruction, it outputs n0 shares σ₁0, . . . , σ0_n0,

where share σ_i0 is to be sent to each new shareholder s0_i ∈ S0_{, for i = 1, . . . , n}0_{. The}

shares σ1, . . . , σn∈ Σ held by the old shareholders are deleted.

Reconstruct takes as input a set of shares σ1, . . . , σr held by a subset R ⊂ S of

shareholders. It outputs m ∈ M if R ∈ Γ, and ⊥ otherwise.

For our framework, we assume that the set S = {s1, . . . , sn} of shareholders in

Definition 4.1 are n storage servers owned by different storage service providers. Like for the original definition of social secret sharing presented in Section 2.2, also algorithm Share of adaptive social secret sharing allows the data owner to store their messages either by using weighted secret sharing or hierarchical secret sharing. The reason is that Shamir’s threshold secret sharing scheme, and therefore its weighted version, and Tassa’s hierarchical conjunctive and disjunctive scheme are dynamic and can be equipped with algorithm Reset, as presented in Section 3.2. In both cases the initial weights w1, . . . , wn for storage servers s1, . . . , sn are determined and

algorithm S.Share of the underlying secret sharing scheme is called with the vector of weights as input. Afterwards, the storage servers run periodically algorithm Tune to determine and update the weights of each storage server and to accordingly adjust

the shares by calling the algorithm S.Reset. More precisely, algorithm Reset allows the user to add, remove, and replace storage servers by first computing weights for the newcomers and then calling algorithm S.Reset of the underlying secret sharing scheme with the new storage servers and weights as input. Finally, at any time the user can retrieve the message by running algorithm Reconstruct, which calls the algorithm S.Reconstruct of the underlying secret sharing scheme.

Our scheme is parameterized by the following values. (1) The total number of storage servers n which is input to algorithm Share and can be changed by calling algorithm Reset. (2) The weights w1, . . . , wnof storage servers s1, . . . , sn, respectively,

which are initialized by algorithm Share and updated regularly by algorithm Tune. If we use weighted secret sharing as underlying secret sharing scheme we also use (3a) threshold t required to reconstruct the message while for hierarchical secret sharing we have (3b.1) the total number ` of levels and (3b.2) thresholds t1, . . . , t` for levels

L1, . . . , L`, respectively. In addition, d denotes the total number of different subsets

of storage servers that are able to reconstruct the message.

There are two aspects that distributed storage systems should guarantee: con- fidentiality and availability of the outsourced data. As we have discussed in the introduction of this chapter, confidentiality and availability rely on the performance of the storage servers involved. These two properties rely on algorithm Reset and algo- rithm Reconstruct that can be performed in distributed fashion by authorized subsets of storage servers. More precisely, a certain threshold of storage servers is needed to perform algorithms S.Reset and S.Recontruct of the underlying dynamic secret sharing scheme and correspondingly to run algorithms Tune, Reset, and Recontruct of the adaptive social secret sharing scheme. Thus, the parameters must be chosen such that the system can cope with low-performing storage servers. On the other hand, storage servers with high aggregate performance scores are more likely to perform well the next time one of the above algorithms is called, but this is not guaranteed. There is always the possibility that problems occur and they respond late or not at all. In this worst case scenario, the algorithms still have to be run and the operations of updated still have to be carried out. In order for this to happen, the shares must be distributed so that, in case the highest-performing storage servers are faulty, the other storage servers form at least one authorized set that can correctly run algorithms Reset and Reconstruct. We present in the next session how algorithm Tune is instantiated so that this requirement holds.