Efficient LDPC Code Based Secret Sharing Schemes and Private Data Storage in Cloud without Encryption

Efficient LDPC Code Based Secret Sharing Schemes and

Private Data Storage in Cloud without Encryption

Yongge Wang

Department of SIS, UNC Charlotte, USA [email protected]

Abstract. LDPC codes, LT codes, and digital fountain techniques have received significant attention from both academics and industry in the past few years. By employing the underlying ideas of efficient Belief Propagation (BP) decoding process in LDPC and LT codes, this paper introduces three classes of secret sharing schemes called BP-XOR secret sharing schemes, pseudo-BP-XOR secret sharing schemes, and LDPC secret sharing schemes. By establishing the equiv-alence between the edge-colored graph model and degree-two BP-XOR secret sharing schemes, we are able to design novel perfect and ideal2-out-of-n BP-XOR secret sharing schemes. By employing techniques from array code design, we are also able to design other(n, k)threshold LDPC secret sharing schemes. In the efficient (pseudo) BP-XOR/LDPC secret sharing schemes that we will con-struct, only linear number of XOR (exclusive-or) operations on binary strings are required for both secret distribution phase and secret reconstruction phase. For a comparison, we should note that Shamir secret sharing schemes require

O(nlogn)field operations for the secret distribution phase andO(n2)field oper-ations for the secret reconstruction phase. Furthermore, our schemes achieve the optimal update complexity. By update complexity for a secret sharing scheme, we mean the average number of bits in the participant’s shares that needs to be revised when certain bit of the master secret is changed. The extremely efficient secret sharing schemes discussed in this paper could be used for massive data storage in cloud environments achieving privacy and reliability without employ-ing encryption techniques.

1

Introduction

The concept of threshold secret sharing schemes is one of the most important cryp-tographic primitives that have been used in many areas of crypcryp-tographic applications. Since the concept of secret sharing schemes was introduced by Blakley [3] and Shamir [18], there have been considerable efforts on the study of the bounds of share sizes, in-formation rate, the number of participants for perfect and ideal threshold schemes, and on efficient secret sharing schemes. By an ideal threshold scheme, we mean a secret sharing scheme for which the size of the shares is the same as the size of the secret.

In a simple secret sharing scheme, we havenparticipants. A secretsis encoded intonshares and each participant will receive one share. Anyk≤ nparticipants can come together and reconstruct the secretsthough nok−1participants could learn any information of the secret. These schemes are known as(n, k)threshold schemes.

One of the most important problems in secret sharing schemes is to make both se-cret distribution phase and sese-cret reconstruction phase efficient. For the Reed-Solomon codes based Shamir secret sharing scheme, it takes O(nlogn) field operations for the secret distribution phase and O(n2_{)field operations for the secret reconstruction} phase. It should be noted that in theory, Reed-Solomon codes could be decoded in

O(nlog2nlog logn)field operations (see, e.g., [15]). However, for small numbers of

n, the quadratic time algorithms are much faster than the fast theoretical algorithms. Low Density Parity Checking (LDPC) codes were invented by Robert Gallager [10] in his PhD thesis. After being invented, they were largely forgotten and have been rein-vented multiple times for the next 30 years. In the last decade, LDPC codes found their ways to many applications such as satellite transmission of digital television, 10GBase-T Ethernet, and WiFi 802.11n standards. Luby transform codes (L10GBase-T codes) [13] are erasure correcting codes and are instances of LDPC codes. LT codes belong to the fam-ily of rateless digital fountain codes which can in principle produce an infinite number of encoding symbols.

By employing the underlying ideas of efficient Belief Propagation (BP) decoding process in [13, 14], we introduce three classes of secret sharing schemes called BP-XOR secret sharing schemes, pseudo-BP-BP-XOR secret sharing schemes, and LDPC se-cret sharing schemes. The BP-XOR sese-cret sharing schemes can be considered as LT code based secret sharing schemes. Edge-colored graph models were introduced by Wang and Desmedt in [19] to model homogeneous faults in networks. We will show the equivalence between the edge-colored graph model and degree-one-and-two encod-ing symbol based BP-XOR secret sharencod-ing schemes. Usencod-ing this equivalence result, we are able to design perfect and ideal2-out-of-n BP-XOR secret sharing schemes. We will also present several designs for general(n, k)LDPC secret sharing schemes. In the (pseudo) BP-XOR/LDPC secret sharing schemes that we will construct, only XOR (exclusive-or) operations on binary strings are required and both the secret distribution phase and secret reconstruction phase could be done in linear number of XOR opera-tions on bits (relative to the secret size).

One of the other important problems in secret sharing schemes is to design efficient homomorphic sharing schemes which were first introduced by Benaloh [2]. Desmedt and Frankel [8] proposed a black-box secret sharing scheme for which the distribution matrix and the reconstruction vectors are defined over the integer ringZ and are de-signed independently of the groupGfrom which the secret and the shares are sampled. Cramer and Fehr [7] then continued the study by showing that the optimal lower bound

O(log₂n)for the expansion factor could be achieved in general Abelian groups. Secret sharing schemes, for which the secret distribution and reconstruction phases are based on XOR operations on binary strings, could be converted to secret sharing schemes on several black-box Abelian groups on binary strings. Thus our results could be adapted to certain black-box based secret sharing schemes.

In this paper, we will introduce the concept ofupdate complexityof secret sharing schemes. The update complexity of a secret sharing scheme is defined as the average number of bits of the shares affected by a change of a single master secret bit. For an

the update complexity isn−k+ 1. In this paper, we will show that our schemes will achieve this lower bound.

Due to the expensive cost of field operations of secret sharing schemes such as Shamir schemes, secret sharing schemes have traditionally been used for the distribu-tion of secret keys, which is then used to encrypt the actual data. Since our schemes are based on linear numbers of XOR operations and are extremely efficient, it is possible to share the massive data directly using secret sharing schemes. In another word, the data stored at different locations (e.g., cloud servers) are shares of the original data and only XOR operations on bits are needed for distributing massive data to the cloud servers and for reconstructing the original data from shares stored at different cloud servers. This may help to design efficient protocols for certain applications of computation over encrypted data.

The structure of this paper is as follows. In Section 2, we briefly discuss the connec-tion between MDS codes and secret sharing schemes and show how to covert an MDS code to a secret sharing scheme. Section 3 introduces the concepts of LDPC based se-cret sharing schemes such as BP-XOR sese-cret sharing schemes, pseudo BP-XOR sese-cret sharing schemes, and LDPC secret sharing schemes. Section 4 introduces perfect and ideal(n,2)threshold BP-XOR secret sharing schemes. Section 5 shows the limitation of degree two encoding symbols for perfect and perfect and ideal(n, k)BP-XOR secret sharing schemes and Section 6 discusses perfect and ideal(n, k)LDPC secret sharing schemes fork= 3,4. We briefly discuss dual codes in Section 7 and conclude in Sec-tion 8 with some discussion on applying our techniques to reliable and private massive data storage in cloud.

2

MDS codes and Secret Sharing Schemes

For an[n, k, d]linear code, the Singleton bound claims thatd≤n−k+ 1. An[n, k, d]

linear code is maximum distance separable (MDS) ifd =n−k+ 1(see, e.g., [15]). Akout ofnthreshold sharing scheme is a perfect sharing scheme if for any secrets0, anykparticipants can reconstruct thes0and any subset ofk−1 or less participants gain no information abouts0. Letp1,· · ·, pn represent the shares distributed to then

participants and letsbe a variable over the secret sampling space. We can restate these requirements as follows. For any set ofkindices{i1, i2,· · · , ik}, we have

P rob(s=s0|pi1, pi2,· · · , pik) = 1

and

P rob(s=s0|pi1, pi2,· · ·, pik−1) =P rob(s=s0).

It is well known [4] that each[n, k, d]MDS code could be converted to a perfect and ideal(n, k)threshold sharing scheme. As an example, let

g(z) = (z−1)(z−α)· · ·(z−αn−k−1) =g0+g1z+· · ·+gn−kzn−k

be the generator polynomial for the Reed-Solomon code overF = GF(qm_{), where}

αis a primitive element ofGF(qm_{). For an information symbol polynomialf(z) =}

For the above Reed-Solomon code, if we let the secrets = f0 and distribute the remaining coefficients ofc(z)to then−1participants respectively, then we obtain a perfect and ideal(n−1, k)threshold secret sharing scheme overGF(qm_{). By applying}

a technique from Karnin, Greene, and Hellman [11], this scheme could be extended to an(n, k)threshold secret sharing scheme if we givecn =f0+· · ·+fk−1to thenth participant.

3

(Pseudo) BP-XOR Secret Sharing Schemes and LDPC Secret

Sharing Schemes

Low density array codes have been studied extensively for burst error correction in com-munication systems and storage systems (see, e.g., [5, 6, 20]). Array codes are linear codes where information and parity data are placed in a two dimensional matrix array. In this section, we introduce several concepts of LDPC based secret sharing schemes. We first introduce the concepts of array BP-XOR codes which will then be used to define LDPC based secret sharing schemes.

For fixed numbersl, b, k, n, letM ={0,1}l_{be the message symbol set andα}

1,· · ·,

αbk be variables taking values fromM, which are called information symbols. A t

-erasure tolerating array code is ab×nmatrixC = [σi,j]1≤i≤b,1≤j≤n such that each

encoding symbolσi,j ∈ {0,1}lis the exclusive-or (XOR) of one or more information

symbols fromα1,· · · , αbkandα1,· · · , αbkcould be recovered from anyn−tcolumns

of the matrix. For an encoding symbolσi,j=αi1⊕ · · · ⊕αiτ, we callαij (1≤j≤τ)

a neighbor ofσi,jand callτthe degree ofσi,j.

The Belief Propagation decoding process for binary symmetric channels (BSC) is present in Gallager [10] and is also used in artificial intelligence community [17]. The BP decoding process for binary erasure channels (BEC) is described as follows:

(Cf. [13, 14]) If there is at least one encoding symbol that has exactly one neigh-bor then the neighneigh-bor can be recovered immediately. The value of the recovered information symbol is XORed into any remaining encoding symbols that have this information symbol as a neighbor. The recovered information symbol is removed as a neighbor of these encoding symbols and the degree of each such encoding symbol is decreased by one to reflect this removal.

If we add the following additional step to each loop of the above BP decoding process, we obtain a new decoding process which we will call the pseudo-BP decoding process on the BEC:

If all the neighbors of an encoding symbolσiis a subset of the neighbor set of

another encoding symbolσj, then the value ofσiis XORed into all such kind

of encoding symbolsσj.

An array codeC= [σi,j]1≤i≤b,1≤j≤nis called an array BP-XOR code (respectively,

array pseudo BP-XOR code) if all information symbolsα1,· · ·, αbkcan be recovered

from any n−t columns of the matrix using the BP-decoding process on the BEC (respectively, the pseudo BP-decoding process on the BEC).

At-erasure toleratingb×narray codeCis said to be maximum distance separable (MDS) if we havek = n−t. The array codeCover the alphabetM = {0,1}l_can

be considered as a linear code over the extension alphabetMb_{of lengthnor a linear}

code over the alphabetMof lengthbn. Abt×bn(respectively,bk×bn) binary matrix is said to be a parity-check (respectively, generator) matrix of ab×n array codeC if it is a parity-check (respectively, generator) matrix of Cwhen Cis considered as a length bnlinear code over the alphabetM. For example, the matrix H (respectively

G) is a parity-check (respectively, generator) matrix of the array codeC if we have

HyT = 0 (respectively, y = xG) wherey = (σ1,1,· · · , σb,1,· · ·, σ1,n,· · ·σb,n),

x= (α1,· · ·, αbk), and the addition of two strings inMis defined as the XOR on bits.

An array codeCis called low density parity-check (LDPC) if its parity-check (or equivalently, the generator) matrix contains small number of nonzero entries. For an MDS array code, it is straightforward to show that each row of the parity-check (re-spectively, the generator) matrix must contain at leastn−r+ 1(respectively,r+ 1) nonzero entries (see [6] for a proof).

Now we are ready for our definition of LDPC secret sharing schemes.

Definition 1. An(n, k) threshold BP-XOR (respectively, pseudo BP-XOR or LDPC) secret sharing schemeSis an array BP-XOR (respectively, pseudo BP-XOR or LDPC) codeC= [σi,j]1≤i≤b,1≤j≤n+1with the following conditions:

– the secrets0=σ1,1|| · · · ||σb,1where||denotes string concatenation. – for1≤i≤n, theith participant receives the sharepi=σ1,i+1|| · · · ||σb,i+1 – the secret distribution process in the above two steps generates a perfect(n, k)

threshold secret sharing scheme.

4

Perfect and ideal

(

n,

2)

threshold BP-XOR secret sharing

schemes

In this section, we first show the equivalence of degree2array BP-XOR codes and edge-colored graphs. We then use these results to design array BP-XOR codes and finally we convert these array BP-XOR codes to efficient perfect and ideal(n,2)threshold BP-XOR secret sharing schemes.

4.1 Edge-colored graphs

Wang and Desmedt [19] introduced the edge-colored graph model for modeling homo-geneous faults in networks.

Definition 2. (Wang and Desmedt [19]) An edge-colored graph is a tupleG(V, E, C, f), withV the node set,Ethe edge set,Cthe color set, andf a map fromEontoC. The structure

ZC,t={Z:Z⊆E and |f(Z)| ≤t}.

is called at-color adversary structure. LetA, B ∈V be distinct nodes ofG.A, Bare called(t+ 1)-color connectedfort ≥1if for any color setCt⊆Cof sizet, there is

a pathpfromAtoBinGsuch that the edges onpdo not contain any color inCt. An edge-colored graphGis(t+ 1)-color connectedif and only if for any two nodesAand

BinG, they are(t+ 1)-color connected.

Fig. 1.3-color connected edge-colored graphG4,2

v

v

v

v

v

v

v

Table 1.Table representation of edge-colored graphG4,2 hv1, v6i hv2, v7i hv3, v1i hv4, v2i

hv2, v5i hv3, v6i hv4, v7i hv5, v1i hv3, v4i hv4, v5i hv5, v6i hv6, v7i

As an example, Figure 1 shows a 3-color connected graphG4,2 with7nodes,12 edges, and4colors. The edge-colored graphsG4,2can also be represented by the Table 1 where the edges with the same color are put in the same column.

Though Wang and Desmedt [19] presented a few simple constructions of edge-colored graphs with certain color connectivity, their results could not be extended to general cases and are not sufficient for our study of secret sharing schemes. In the following, we present a general construction of(t+ 1)-color connected edge-colored graphs using perfect one-factorizations of complete graphs. We useKn = (V, E)to

denote the complete graph withnnodes. For an evenn, a one-factor ofKn is a set of

pairwise disjoint edges that partition the set of nodes inV. A one-factorization ofKn

(nis even) is a set of one-factors that partition the set of edgesE. A one-factorization is called perfect (or P1F) if the union of every two distinct one-factors is a Hamiltonian circuit. It is shown (see, e.g., [1, 16]) that perfect one-factorizations forKp+1,K2p, and

certainK2ndo exist, wherepis a prime number. It is conjectured that P1F exist for all

Example 1. – P1F for Kp+1: For an integer a, let haip denote the integer b ∈

{0,· · · , p−1}such thatb≡amodp. LetV ={v0, v1,· · · , vp}and

Fl={hl, pi} ∪ {(vhi+lip, vhj+lip) :hi+jip= 0and0≤i6=j < p}.

ThenF0, F1,· · ·, Fp−1is a perfect one factorization ofKp+1.

– P1F forK2p: LetV ={v0,· · · , v2p−1}and

Fl=

_{(v

i, vj) :i+j=lmod2p} ∪ {(vl

2, v2l+p)} iflis even

{(vi, vj) :iis odd, i−j=lmod2p} ifl6=pis odd

ThenF0, F1,· · ·, Fp−1, Fp+1,· · ·, F2p−2is a perfect one factorization ofK2p.

Theorem 1. Let nbe an even number such that there is a perfect one-factorization

F1,· · · , Fn−1 for Kn. For eacht ≤ n−3, there exists a (t + 1)-color connected

edge-colored graphGwithn−1nodes,(t+ 2)(n/2−1)edges, andt+ 2colors. Proof. Letv1, . . . , vn be a list of nodes for Kn andV = {v1,· · · , vn−1}. LetFi0 =

Fi\ {hvn, vii: i = 1,· · · , n−1},E = F10 ∪ · · · ∪Ft0+2, and color all edges inFi0

with the colorcifori≤t+ 2. Then it is straightforward to check that the edge-colored

graph(V, E)is(t+ 1)-color connected,|V|=n−1, and|E|= (t+ 2)(n/2−1). 2

Remarks on Proof of Theorem 1: Since only node connectivity instead of Hamilto-nian circuit is required for(t+ 1)-color connected graphs, we could useF_i0instead of

Fi to construct the edge-colored graph. By usingFi0, we reducet+ 2edges and one

node in the resulting edge-colored graph. This will help us to keep the minimum cost for connectivity.

4.2 Constructing MDS array BP-XOR codes from edge-colored graphs

We now use edge-colored graphs to construct array BP-XOR codes. As an example, we give the BP-XOR code corresponding to the graphG4,2from Table 1. First, each edge in Table 1 is mapped to the XOR of the two adjacent nodes. Then choose a fixed node (e.g.,v7) and remove all the occurrences of this node (e.g.,v7) to get the MDS array BP-XOR code in Table 2.

Table 2.BP-XOR code corresponding toG4,2

v1⊕v6 v2 v3⊕v1 v4⊕v2

v2⊕v5 v3⊕v6 v4 v5⊕v1

v3⊕v4 v4⊕v5 v5⊕v6 v6

In the following, we give a general construction of array BP-XOR codes from edge-colored graphs. Letv1, v2,· · · , vk, vk+1 be variables that take values fromM = {0,1}l_{, wherelis any fixed length. LetG(V, E, C, f)be a(t+1)-color connected}

we consider the nodes inG(V, E, C, f)as data block variables, edges as their parity check blocks of the adjacent nodes, and colors on the edges as labels for placing the parity checks into different columns of the array codes, then the following steps con-struct ab×narray BP-XOR codes, whereb= maxc∈C{|Z|:Z⊆E, f(Z) =c}.

1. For1≤i≤n, let

βi={vi⊕vj:hvi, vji ∈E, f(hvi, vji) =ci, andi, j6=k+ 1}∪

{vi:hvi, vk+1i ∈E, f(hvi, vbk+1i) =ci}

2. If|βi|is smaller thanm, add empty element toβito make it anm-element set.

3. The array BP-XOR code is specified by theb×nmatrixCG= (β1T,· · ·, βnT).

Next we show that the above array BP-XOR codeCGcan toleratet-erasure columns.

Assume that the missingtcolumns of the codeCGcorrespond to thet-color setCt⊂C

of the graphG. Since the graphGis(t+ 1)-color connected, for any nodevi0 ∈V, we

have a pathp=hvk+1, vi1, vi2,· · · , vij, vi0iwithout using any colors inCt. Thusvi0

could be recovered by the following equation

vi0 =vi1⊕(vi1⊕vi2)⊕ · · · ⊕(vij ⊕vi0)

wherevi1, vi1 ⊕vi2,· · ·,vij ⊕vi0 are all available in the non-missing columns. In

another word, the Belief Propagation decoding process could be used to recover the entire data blocksv1,· · ·, vkfrom the non-missing columns.

The following theorem shows that eacht-erasure tolerating array BP-XOR code with encoding symbols of degree one or two could be converted to a (t + 1)-color connected edge-colored graph also.

Theorem 2. LetCbe anb×narray BP-XOR code with the following properties: 1. Cist-erasure tolerating;

2. Ccontainskinformation symbols; and

3. Ccontains only degree one and two encoding symbols.

Then there exists a(t+ 1)-color connected edge-colored graph G(V, E, C, f)with

|V|=k+ 1,|E|=bn, and|C|=n.

Proof.Letv1,· · ·, vk be the information symbols ofC = [ai,j](i,j)∈[1,b]×[1,n]and

vi1,· · ·, viu be a list of degree one encoding symbols in C. Then the (t + 1)-color

connected edge-colored graphG(V, E, C, f)is defined by the following steps: 1. V ={v1,· · ·, vk, vk+1};

2. E=∪j∈[1,u]{hvk+1, viji} ∪ {hvi0, vj0i:ai,j =vi0⊕vj0 ∈ C};

3. C={c1,· · ·, cn};

4. for eachai,j=vi0⊕v_j0 ∈ C, letf(hv_i0, v_j0i) =c_jand for eacha_i,j=v_i0 ∈ Clet

f(hvk+1, vi0i) =c_j

LetCtbe a color set of sizetandviandvjbe two nodes. Since the codeCist-erasure

tolerating, bothviandvjcould be recovered from encoding symbols not contained in

the columns corresponding to the colors inCt. Thus there exists a pathp(respectively,

q) connectingvk+1tovi(respectively, tovj) without usingCt-colored edges. It follows

Theorem 3. Let n be an odd number such that there is a perfect one-factorization

F1,· · · , Fn forKn+1. Then forb = n−₂1, there exists an(n−2)-erasure tolerating

MDSb×narray BP-XOR codeCb,n,2.

Proof. It follows from Theorem 1 and the above discussions. 2

Corollary 1. For givenbandn≤2b+ 1, if2b+ 1orb+ 1is a prime number, then there exists an(n−2)-erasure tolerating MDSb×narray BP-XOR codeCb,n,2.

4.3 Perfect and ideal 2-out-of-nBP-XOR secret sharing schemes with minimum update complexity

By Corollary 1, there are MDSb×narray BP-XOR codesCb,n,2= [σi,j]if2b+ 1or

b+ 1is a prime number andn ≤ 2b+ 1. Following the discussion in Section 2, we can convertCb,n,2 to a perfect and ideal(n−1,2)threshold BP-XOR secret sharing schemes as follows.

From our discussion in the previous section, the first column ofCb,n,2corresponds to a one-factor of an edge-colored graph. Without loss of generality, we may assume that the first column of Cb,n,2 consists ofvi1 ⊕vi01,vi2 ⊕vi02, · · ·,vib ⊕vi0b. For a

given secrets= (s1,· · ·, sb)wheresi ∈ {0,1}l, the dealer chooses random values for

vi0

1,· · ·, vi0b ∈ {0,1}

l_{and setsv}

i1 =vi01⊕s1,vi2 =vi20 ⊕s2,· · ·,vib = vi0_b⊕sb.

The dealer computes the codeCb,n,2using the P1F of the complete graphK2b+2and securely distributes the(i+ 1)th column ofCb,n,2to the participantpi.

By the MDS property ofCb,n,2, any two participants could use their shares to

re-construct the secret. Again by the MDS property ofCb,n,2and the discussion in Section 2, the above constructed secret sharing scheme is a perfect and ideal 2-out-of-(n−1)

threshold secret sharing scheme.

It should be noted that the above constructed secret sharing schemes have the min-imum update complexity. By the property that each column ofCb,n,2corresponds to a subset of a one-factor of the edge-colored graph together with zero or one node in the graph, each node of the edge-colored graph have at most one occurrence in each column ofCb,n,2. In our above secret sharing scheme, the secret corresponds to one half of the

nodes in the edge-colored graph. Thus if one bit of the master secret changes, we need to update at most one bit for the shares of each participant (some participant’s shares do not need to be updated if her shares do not contain the corresponding node). Obviously, this is best one could achieve. In another word, our secret sharing schemes achieve the minimum update complexity.

4.4 An example of(n,2)BP-XOR secret sharing schemes

Letnbe the given number of participants for a desired perfect(n,2)BP-XOR secret sharing scheme. The dealer chooses the least integer n0 ≥ n+ 2such that P1F for

Kn0 exists. Without loss of generality, we may assume that n0 = p+ 1wherepis an odd prime (note thatp ≥n+ 1). Using P1F design in Example 1 forKp+1with

V ={v0,· · · , vp}, we have Fi= n hvh0+iip, vpi;hvh1+iip, vhp−1+iipi;· · · ;hvhp−1 2 +iip, vhp+12 +iipi o

for 0 ≤ i ≤ p−1. Remove the edge hvi, vpifrom Fi and the remaining edges in

Fiis mapped to the XOR of the adjacent node variables and all occurrences ofv0are removed. We then get theb×parray BP-XOR code in Table 3 whereb= (p−1)/2. Assume that the secrets=s1· · ·sbwheresi ∈ {0,1}l(we can always pad the secret

Table 3.(p−1)/2×pBP-XOR code

v1⊕vp−1 · · · vp−1⊕vp−3 vp−2

v2⊕vp−2 · · · vp−4 v1⊕vp−3 · · · ·

vb⊕vb+1 · · · vb−2⊕vb−1 vb−1⊕vb

to a multiple ofb-bits if it is not). The dealer chooses random values forvb+1,· · · , vp−1 from{0,1}l_{and setsv}

1 =s1⊕vp−1,· · ·, vb =sb⊕vb+1. Fori= 1,· · ·, n, theith

participant receives the values in the(i+ 1)th column of Table 3. It is straightforward to verify that the above scheme is a perfect and ideal(n,2)secret sharing scheme.

We should also note that the(p−1)/2×pBP-XOR code in Table 3 is equivalent to a code designed by Zaitsev, Zinov’ev, and Semakov [9] which was later reformulated in [6, 20].

5

The limitation of degree two encoding symbols for perfect and

ideal

(

n, k

)

BP-XOR secret sharing schemes

Generally, we have interests in designing perfect and ideal BP-XOR(n, k)secret shar-ing schemes for k > 2. Our results in this section show that degree two encoding symbols are not sufficient for designing perfect and ideal BP-XOR(n, k)secret sharing schemes withk > 2. We prove some bounds for array BP-XOR codes which can be automatically converted to perfect and ideal BP-XOR secret sharing schemes.

In order for at-erasure toleratingb×narray BP-XOR code to be MDS, there need

(n−t)binformation symbols. The following theorem provides a necessary condition for the existence of array BP-XOR codes when only degree one and two encoding symbols are used.

Theorem 4. LetC= [ai,j](i,j)∈[1,b]×[1,n]be at-erasure tolerating array BP-XOR code

withkbinformation symbols wherek=n−t. Assume thatCuses degree one and two encoding symbols only andk >2. Then we have

n≤ k−1 k−2 k− 2 (k−2)b+ 1 (1)

Proof.By the fact thatCist-erasure tolerating, each information symbol must occur in at leastt+ 1columns. Since there arekbinformation symbols to encode, the total number of information symbol occurrences inCis at leastkb(t+ 1).

In order for the BP decoding process to work, we must start from a degree one encoding symbol. Thus we need to have at leastt+ 1degree one encoding symbols in distinct columns ofC. This implies that we could use at mostbn−(t+ 1)cells to hold encoding symbols for degree two. In another word,Ccontains at most2(bn−(t+ 1)) +

t+ 1occurrences of information symbols. By the above fact, we must have

kb(t+ 1)≤2(bn−(t+ 1)) +t+ 1.

By rearranging the terms and moving all terms to the right hand side, we get

k(k−1)b−((k−2)b+ 1)n+ (k−1)≥0.

The above inequality could be rewritten as

((k−2)b+ 1) _k(k−1) k−2 −n ≥ 2k−2 k−2

This implies the equation (1). 2

The result in Theorem 4 shows that, for an (n−3)-erasure or (n−4)-erasure tolerating BP-XOR code, if we only use degree one and two encoding symbols then we haven ≤ 5. For the case of(n, k)threshold BP-XOR secret sharing schemes, these results could be interpreted as follows: If we only use degree one and two encoding symbols then we can only construct 3-out-of-4 or 4-out-of-4 BP-XOR secret sharing schemes.

6

Perfect and ideal

(

n, k

)

LDPC secret sharing schemes with

minimum update complexity for

k

= 3

,

4

The results in the previous section show that for the design of perfect and ideal(n,3)

and(n,4)LDPC secret sharing schemes, we need to use high degree encoding symbols. In this section, we show how to convert two array codes in the literature to lowest density perfect and ideal(n,3)and(n,4)LDPC secret sharing schemes.

For a prime numberp, a class of low density(p−1)/k×(p−1)array codes were introduced in Blaum and Roth [6] as a generalization of the code in Zaitsev, Zinov’ev, and Semakov [9], yet the resulting codes are not necessarily MDS. Louidor and Roth [12] showed that when2is primitive inFpthen the resulting array codes are the lowest

density MDS array codes fork= 3,4. It was conjectured that there are infinitely many primespsuch that 2 is primitive inFp. Though these codes are LDPC array codes, they

are not array BP-XOR codes. Thus the secret sharing schemes that we will obtain from these codes are perfect and ideal LDPC secret sharing schemes. But these codes could be converted to perfect but non-ideal (pseudo) BP-XOR secret sharing schemes (the details will be presented in the full version of this paper).

For the construction of array codes in [12], letpbe a prime such that2is primitive inFp. In the finite fieldFp, pick an elementαof multiplicative orderk= 3,4and an

elementβof multiplicative orderp−1. LetC−1={0}and

be the cyclic subgroup generated byα. For1≤i < p−_k1, letCi =βiC0be the coset of C0. Then C−1, C0,· · · , Cp−1 k −1 is a partition of {0,1,· · ·, p−1}. For (i, j) ∈ [−1,p−_k1−1]×[0, p−2], let D0i,j=hCi+jip

wherehCi+jipdenotes the set that is obtained by addingjto the element ofCimodulo

p.

It should be noted that exactly one of the setsD0_−1,j,D0,j,· · ·,Dp−1

k −1,j

contains

p−1. For eachj ∈[0, p−2], letD0,j, D1,j,· · ·, Dp−1

k −1,j be a list of the setsD

0

i,j

such thatp−1∈/ D_i,j0 .

Define the(p−1)/k×(p−1)array codeCk= [σi,j]by lettingσi,jbe the XOR of

all elements inDi,j. The authors in [12] showed that the array codeCk(k= 3,4) is an

MDS code toleratingp−1−kerasure columns orbp−k−1

2 ccolumns of errors. Using the techniques that we have used in Section 4, the above discussed LDPC MDS array codesCk = [σi,j]i∈[1,(p−1)/k],j∈[1,p−1] could be converted to perfect and ideal 3-out-of-(p−2)and 4-out-of-(p−2)LDPC secret sharing schemes by assigning the value of the secretsto the variablesσ1,1,· · ·, σ(p−1)/k,1in the first column in the same way as we have done in Section 4. Based on the design of the array codesCk, it

is straightforward to verify that if we change any single bit in the master secret, then we only need to change at most one bit in the shares of each participant. Indeed, since the code Ck, has the lowest density among all MDS codes of the same size [12], the

corresponding secret sharing schemes have the least update complexity.

7

Dual codes and perfect and ideal

(

n, k

)

LDPC secret sharing

schemes for

k

=

n

−

1

, n

−

2

, n

−

3

In the previous sections, we have described efficient perfect and ideal(n,2)BP-XOR secret sharing schemes and perfect and ideal(n, k)LDPC secret sharing schemes for

k= 3,4. It should be noted that the dual of these secret sharing schemes are also secret sharing schemes.

For the MDSb×narray BP-XOR codesCb,n,2with2b+ 1orb+ 1being prime andn ≤2b+ 1in Section 4.3, the dual codeCD

b,n,2tolerates two erasure columns. If we use one column to define the secret, then it will tolerate one erasure column. Thus the array BP-XOR codesCD

b,n,2will allow us to design(n−2)-out-of-(n−1)perfect and ideal BP-XOR secret sharing schemes.

For the MDS LDPC(p−1)/k×(p−1)array codes withk= 3,4in Section 6, the dual codes are MDS LDPC(p−1)/k×(p−1)array codes that could toleratingkerasure columns. If we use one column to define the secret, then it will toleratek−1erasure columns. Thus the dual codes could be used to design perfect and ideal(p−k−1) -out-of-(p−2)lowest density LDPC secret sharing schemes fork= 3,4. In another word, we can design perfect and ideal(n−2)-out-of-n(respectively,(n−3)-out-of-n) LDPC secret sharing schemes ifn+ 2is prime and2is primitive inFn+2.

8

Private and reliable cloud storage

Due to the advancement of cloud computing technologies, there has been an increased interest for individuals and business entities to move their data from traditional private data center to cloud servers. Indeed, even popular storage service providers such as Dropbox use third party cloud storage providers such as Amazon’s Simple Storage Service (S3) for data storage. With the wide adoption of cloud computing and storage technologies, it is important to consider data privacy and reliability issues for cloud storage services.

In order to achieve reliability, data should be stored in multiple cloud storage servers with redundancy. If no privacy is required, then we can use the MDS BP-XOR codes (respectively, LDPC codes) constructed in Section 4.2 (respectively, Section 6) to store data withinncloud servers and the original data could be recovered from any2 (re-spectively, 3 or 4) of the surviving servers. This will be sufficient for most cloud based applications.

If the user is also concerned with data privacy and does not trust a single cloud server, the user may use the perfect and ideal(n,2)threshold BP-XOR secret sharing schemes in Section 4 or the perfect and ideal (n, k)threshold LDPC secret sharing schemes with k = 3,4 in Section 6 to store the data in n servers. By using these secret sharing schemes, no single cloud server (respectively, 2 or 3 cloud servers jointly) could learn any information of the data. These schemes are very efficient since only linear number (in size of the data) of XOR operations are needed for data storage and recovery. This kind of efficiency is impossible with existing schemes such as Shamir secret sharing schemes.

Privacy preserving data update is simple in BP-XOR or LDPC secret sharing scheme based cloud storage. As an example, if the2-out-of-nsecret sharing scheme based on Table 3 is used, then the first column ofCb,n,2 corresponds to the data file. In other words,

F =v1⊕vp−1||v2⊕vp−2|| · · · ||vb⊕vb+1

wherevi ∈ {0,1}l. Now assume that the first bit ofF is flipped. This is equivalent to

flipping the first bit ofvp−1. Thus the data owner only needs to inform each server to

flip one bit at certain location without leaking any other information.

In Section 4.3, we converted BP-XOR codesCb,n,2 to perfect and ideal

2-out-of-(n−1)secret sharing schemes by letting the first column of Cb,n,2 to represent the secret data. Indeed, we may also use a keyed pseudo random functionHto generate the random bits in the secret distribution phase and obtain secret sharing schemes with some additional useful properties.

In the following, we use a prefix (wildcard) search example to show how the user could carry search in cloud environments without downloand the entire data to the local drive. A given data fileF is divided into words (the searchable unit) of lengthl. In other words,F = s1s2· · · wheresi ∈ M = {0,1}l. Without loss of generality, we

may assume thatF =s1· · ·sb(larger files could be divided into blocks of sizeband

processed separately).

In order to design a scheme that allows privacy preserving prefix search on the shares, we use a keyed pseudo random functionHto generate the random bits during

the secret distribution phase. In Table 3, the first column ofCb,n,2corresponds to a one-factor of a complete graph: v1⊕vp−1,v2⊕vp−2,· · ·,vb ⊕vb+1. For the data file

F =s1· · ·sbwith identifierid, the data owner sets

v1=H(key,id,1),· · · , vb=H(key,id, b)∈ {0,1}l

wherekeyis a secret that the data owner holds, and sets

vp−1=v1⊕s1, vp−2=v2⊕s2,· · · , vb+1=vb⊕sb.

The data owner computes the codeCb,n,2 and stores the(i+ 1)th column ofCb,n,2in theith cloud server. Note that in this implementation, the entire data fileFcould either be recovered from any two cloud servers or from the secret keyvalue and the entire data from one cloud server together with at most one additional block of data from a second cloud server, though any single server learns zero information aboutF(due to the perfect secret sharing property). This kind of scheme may have various applications for cloud data storage. For example, it may allow the application to build certain kind of secure computation over the encrypted data (that is, the shares at the storage servers). Assume that the data owner wants to search whether the data file F contains a word with prefixswith|s| ≤ l. For different cloud servers, the data owner needs to create different search queries. Assume that the query is submitted to the first server that stores:v2, v3⊕vp−1,· · ·,vb+1⊕vb+2. In order to check whethers1has prefixs, it is sufficient to check whetherv1⊕vp−1has prefixs. This is equivalent to show that the sharev3⊕vp−1in the server has prefixv3⊕v1⊕s(here we reduce bothv3and

v1 to the size|s|by only using the first|s|bits). Since the values ofv1 andv3 could be generated from the secretkey, the data owner will be able to generate this query. It should be noted that neither the value ofsnor the value of the original data file is leaked during this query.

It is straightforward to convert a privacy preserving prefix search scheme to an effi-cient privacy preserving keyword search scheme. This follows from the following ob-servation: For a fileF, one can put the keywords ofF as the prefix ofF and obtain

F0 =s1· · ·sbwhereF =s2· · ·sbands1begins with the keywords ofF. Thus it is sufficient to search whethers1contains the keyword.

Similarly, the keyed pseudo random function techniques could be applied to the

3-out-of-n (respectively, 4-out-of-n) secret sharing schemes in Section 6 so that the original data file could be recovered from either3surviving servers (respectively, 4 sur-viving servers) or from the secret key and2surviving servers (respectively, 3 surviving servers). Note that for these schemes, we do not need the additional data block from the 3rd server (respectively, the 4th server).

9

An example of perfect and ideal

3-out-11 LDPC secret sharing

schemes

We conclude our paper by presenting an example of a perfect and ideal3-out-11 LDPC secret sharing scheme. Since 2 is primitive inF13, we can choosep= 13,α= 3, and

β = 2. Then we have

C−1={0} C0={1,3,9} C1={2,6,5}

C2={4,12,10}C0={8,7,11}

Following the process described in Section 6, we have the4×12array code in Table 4. Note that for consistence with our other notations, we replaced0with12in Table 4.

Table 4.4×12array code (not array BP-XOR code)

v1 v2 v3 v4 v5 v6 v2⊕v4⊕v10 v3⊕v5⊕v11 v5⊕v8⊕v9 v5⊕v7⊕v12 v6⊕v8⊕v1 v7⊕v9⊕v2 v3⊕v6⊕v7 v4⊕v7⊕v8 v7⊕v2⊕v12 v6⊕v9⊕v10 v7⊕v10⊕v11v10⊕v5⊕v3 v12⊕v5⊕v11 v9⊕v10⊕v12v10⊕v11⊕v1 v8⊕v3⊕v1 v2⊕v4⊕v9 v1⊕v12⊕v4 v7 v8 v9 v10 v11 v12 v3⊕v8⊕v10 v4⊕v9⊕v11 v1⊕v2⊕v11 v11⊕v12⊕v6 v12⊕v3⊕v4 v1⊕v3⊕v9 v4⊕v6⊕v11 v10⊕v1⊕v12 v3⊕v4⊕v7 v4⊕v5⊕v8 v5⊕v6⊕v9 v2⊕v6⊕v5 v1⊕v2⊕v5 v2⊕v3⊕v6 v12⊕v8⊕v6 v1⊕v7⊕v9 v2⊕v8⊕v10 v8⊕v7⊕v11

For a 3-out-of-11 secret sharing scheme, let the master secrets = s1||s2||s3||s4 wheresi ∈ {0,1}l. Choose random values forv4, v5, v6, v7, v8, v9, v10, v11from{0,1}l and letv1=s1,v2=s2⊕v4⊕v10,v3=s3⊕v6⊕v7, andv12=s4⊕v5⊕v11. Then we get the perfect and ideal LDPC 3-out-of-11 secret sharing scheme in Table 5.

References

1. B.A. Anderson. Finite topologies and hamiltonian paths.Journal of Combinatorial Theory, Series B, 14(1):87–93, 1973.

2. J. Benaloh. Secret sharing homomorphisms: keeping shares of a secret secret. InProceedings on Advances in cryptology—CRYPTO ’86, pages 251–260. Springer-Verlag, 1987.

3. G. R. Blakley. Safeguarding cryptographic keys. Managing Requirements Knowledge, In-ternational Workshop on, 0:313, 1979.

4. G. R. Blakley and G. A. Kabatianski. Ideal perfect threshold schemes and MDS codes. In IEEE Conf. Proc., Int. Symp. Information Theory, ISIT’ 95, pages 488–488, 1995.

5. M. Blaum and R. M. Roth. New array codes for multiple phased burst correction. IEEE Trans. on Information Theory, 39(1):66–77, 1993.

6. M. Blaum and R. M. Roth. On lowest-density MDS codes. IEEE Trans. on Information Theory, 45:46–59, 1999.

7. R. Cramer and S. Fehr. Optimal black-box secret sharing over arbitrary abelian groups. In CRYPTO, pages 272–287, 2002.

8. Y. Desmedt and Y. Frankel. Homomorphic zero-knowledge threshold schemes over any finite abelian group.SIAM Journal on Discrete Mathematics, 7(4):667–679, 1994.

Table 5.3-out-of-11 LDPC secret sharing scheme secret part 1:s1 s2⊕v4⊕v10 s3⊕v6⊕v7 secret part 2:s2 s3⊕v6⊕v7⊕v5⊕v11 v5⊕v8⊕v9 secret part 3:s3 v4⊕v7⊕v8 v7⊕s2⊕v4⊕v10⊕s4⊕v5⊕v11 secret part 4:s4 v9⊕v10⊕s4⊕v5⊕v11 v10⊕v11⊕s1 v4 v5 v6 v7⊕s4⊕v11 v6⊕v8⊕s1 v7⊕v9⊕s2⊕v4⊕v10 v6⊕v9⊕v10 v7⊕v10⊕v11 v10⊕v5⊕s3⊕v6⊕v7 v8⊕s3⊕v6⊕v7⊕s1 s2⊕v10⊕v9 s1⊕s4⊕v5⊕v11⊕v4 v7 v8 v9 s3⊕v6⊕v7⊕v8⊕v10 v4⊕v9⊕v11 s1⊕s2⊕v4⊕v10⊕v11 v4⊕v6⊕v11 v10⊕s1⊕s4⊕v5⊕v11 s3⊕v6⊕v4 s1⊕s2⊕v4⊕v10⊕v5 s2⊕v4⊕v10⊕s3⊕v7 s4⊕v5⊕v11⊕v8⊕v6 v10 v11 s4⊕v5⊕v11 s4⊕v5⊕v6 s4⊕v5⊕v11⊕s3⊕v6⊕v7⊕v4 s1⊕s3⊕v6⊕v7⊕v9 v4⊕v5⊕v8 v5⊕v6⊕v9 s2⊕v4⊕v10⊕v6⊕v5 s1⊕v7⊕v9 s2⊕v4⊕v8 v8⊕v7⊕v11

9. N. V. Semakov G. V. Zaitsev, V. A. Zinov’ev. Minimum-check-density codes for correcting bytes of errors, erasures, or defects.Problems Inform. Transmission, 19(3):197–204, 1983. 10. R. G. Gallager.Low density Parity Check Codes. MIT Press, 1963.

11. E. Karnin, J. Greene, and M. Hellman. On secret sharing systems.Information Theory, IEEE Transactions on, 29(1):35 – 41, jan 1983.

12. E. Louidor and R. M. Roth. Lowest density MDS codes over extension alphabets. IEEE Trans. Inf. Theor., 52(7):3186–3197, 2006.

13. M. Luby. LT codes. InProc. FOCS, pages 271–280, 2002.

14. M. Luby, M. Mitzenmacher, M. Shokrollahi, and D. Spielman. Efficient erasure correcting codes.IEEE Transactions on Information Theory, 47:569–584, 2001.

15. F. J. MacWilliams and N. J. A. Sloane. The theory of error-correcting codes. NH Pub. Company, 1978.

16. R. Mendelsohn and A. Rosa. One-factorizations of the complete grapha survey. Journal of Graph Teory, 9(1):43–65, 1985.

17. J. Pearl. Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference. Morgan Kaufmann, 1988.

18. Adi Shamir. How to share a secret.Commun. ACM, 22(11):612–613, November 1979. 19. Yongge Wang and Yvo Desmedt. Edge-colored graphs with applications to homogeneous

faults.Inf. Process. Lett., 111(13):634–641, July 2011.

20. L. Xu, V. Bohossian, J. Bruck, and D. Wagner. Low density mds codes and factors of com-plete graphs.IEEE Trans. Inf. Theor., 45:1817–1826, 1998.