We consider repairable threshold schemes (RTSs), which are threshold schemes that enable a player to securely reconstruct a lost share with help from their peers. We summarise and, where possible, refine existing RTSs and introduce a new parameter for analysis, called the repair metric. We then explore using secure regenerating codes as RTSs and find them to be immediately applicable. We compare all RTS constructions considered and conclude by presenting the best candidate solutions for when either communication complexity or information rate is prioritised.
In this introduction, we review basic facts about threshold schemes and repairability, we summarise our contributions and we outline the organisation of the paper.
1.1 Threshold schemes
We briefly introduce threshold schemes, then discuss the notation of share repairability in threshold schemes.
Suppose t and n are positive integers such that . A -threshold scheme is a method in which a dealer chooses a secrets and distributes a share to each of the n players such that the following two properties are satisfied:
recoverability: any subset of t players can compute the secret from the shares they collectively hold,
secrecy: no subset of fewer than t players can determine any information about the secret.
A threshold scheme consists of two algorithms: a share algorithm run by the dealer that receives as input the secret s and outputs n shares, and a recover algorithm, which receives as input at least t distinct, valid shares from the players and outputs the secret.
All threshold schemes we consider here are unconditionally secure, meaning all security results are valid against adversaries with unlimited computational power. Such schemes were introduced independently by Blakley and Shamir in 1979 [2, 16] and have been extensively studied since [3, 9].
The following construction is due to Shamir and yields a -threshold scheme:
Let be a set of n players, and let be a prime number. Let the secret space be equal to the finite field of p elements, . For a given secret , the share and recover algorithms comprising Shamir’s threshold scheme are as follows.
Share: Select values uniformly at random from , and let be the polynomial defined by
We give each player , for , the share .
Recover: A collection of t (or more) players perform polynomial interpolation on their shares in order to recover the polynomial f and hence determine the secret .
Shamir’s scheme is recoverable, as any set of t players can recover the secret via interpolation. Shamir’s scheme also maintains secrecy, as for any set of or fewer players, and for any element , there exists a polynomial of degree at most consistent with their shares and having constant term . Thus the shares of an unauthorised set of players yield no information about the true value of s.
1.2 Share repairability
Consider a scenario in which a player in a -threshold scheme loses or corrupts their share and must repair it. In some settings, the player wishing to repair their share, called the repairing player, could communicate with the dealer and request, then receive, a copy of their share. However, the dealer may not always be accessible when a player needs to repair their share. Ideally, in this dealer-less setting, the repairing player could ask for help from its cohort of players to repair its share. A scheme in which this is possible is called a repairable threshold scheme (RTS).
As before, let t and n be positive integers such that and let be such that . Call d the repairing degree. A -repairable threshold scheme, denoted -RTS, is a -threshold scheme which, in addition to the share and recover algorithms, has a repair algorithm that allows a repairing player to securely reconstruct their share with help from a set of d players, called the helping players.
We must define what it means for the repair algorithm to be secure. Assume a setting in which all players execute the repair algorithm correctly. Inherited from the security definition of a -threshold scheme, consider an adversary with access to a coalition of at most players, which may or may not include the repairing player. Each time the repair algorithm is executed, the coalition of at most players will pool their information; this includes the information stored prior to the algorithm being executed, as well as all messages sent and received during. In order to be secure, the accumulated information should yield no information about the secret distributed by the RTS.
We briefly note the bounds on the repairing degree d. First, consider the lower bound . This is a necessary condition since, if a coalition of fewer than t players were able to construct a share for a player not in the coalition, then a coalition of players would be able to construct a share and thus have enough shares to recover the secret s via the recover algorithm. This would contradict the privacy of the RTS, inherited from the threshold scheme, and would thus be insecure. The upper bound on the repairing degree is . This is also obvious since, if one of the n players lost their share, there are at most players that could possibly help. We remark that it is desirable to have a small d, as this allows repairability to be more robust. For example, if and if two players are unavailable (they may be offline or corrupted), no players will be able to repair their shares. In contrast, if d is small, repairability would be possible even in a setting where several players are unavailable.
Finally, we introduce a notion, defined in , regarding the repairability of an RTS. As motivation for this definition, we note that in Definition 1.3 not every d-subset of the players is required to be able to help the repairing player repair their share. Instead, it is necessary that at least one d-subset can help . In order to distinguish between schemes in which all d-subsets, or some d-subsets, are able to help , we introduce the following definition.
A -RTS has universal repairability if all d-subsets of the players are able to repair ’s share. A -RTS has restricted repairability if some, but not all, d-subsets are able to repair ’s share.
1.3 Our contributions
This paper aims to survey the currently fragmented field of repairable threshold schemes. We summarise the existing work and, where possible, enhance the schemes and conduct a more thorough analysis, then explore applying the rich field of secure regenerating codes to RTSs and find them to be immediately applicable. We then conduct a comparison between all known schemes, finding the best candidate solutions for RTSs with differing priorities. Besides unifying the current research, we highlight the following as explicit, novel contributions:
We introduce a new efficiency metric which measures the repairability of an RTS scheme. We use this metric to analyse existing RTSs, in particular, the combinatorial schemes presented in .
We enhance the enrolment scheme from  to achieve a smaller communication complexity whilst maintaining the information rate. We prove the minimality of the communication complexity.
We explore using secure regenerating codes as RTSs and present a number of implications on the resulting RTSs.
Based on our results, we propose the best candidate solutions for RTSs that prioritise either communication complexity or information rate.
In Section 2, the relevant notions and definitions are introduced. This includes necessary definitions from combinatorial design theory and an overview of regenerating codes. In Section 3 we present a naïve construction for an RTS and introduce the metrics used to measure the efficiency of an RTS. Following this, Section 4 introduces, refines and analyses all known RTS constructions. This includes the both enrolment and combinatorial schemes presented in  and the scheme presented in . In Section 5 we explore using regenerating codes as RTSs and find them to be immediately applicable. We then compare all the discussed RTS constructions in Section 6 and conclude in Section 7.
In this section, we present some core ideas in combinatorial design theory from  and regenerating codes that we will need later.
2.1 Combinatorial design theory
Combinatorial design theory deals with arranging elements into finite sets with certain properties.
A design is a pair such that X is a set of elements, called points, and is a collection of non-empty subsets, called blocks, of X.
There is no restriction on the collection to have distinct blocks; this is why is called a collection, rather than a set. If all the blocks are distinct, the design is called simple.
The degree of a point is the number of blocks the point x occurs in. The design is called regular if all points have the same degree. The rank, k, of a design is the largest block in the collection . If all blocks are the same size, the design is said to be uniform.
Balanced incomplete block designs are a widely studied type of design and are defined as follows:
A -balanced incomplete block design, -BIBD, is a design such that
each block in contains exactly k points,
every pair of distinct points is contained in exactly λ blocks.
For convenience, blocks will be written in the form abc, rather than .
Note that a BIBD is a regular, uniform, simple design.
The pair is a -BIBD, where
The following theorem, presented without proof, shows the degree of every point x in a BIBD.
In an -BIBD, every point occurs in exactly
The value τ in Theorem 2.4 is called the replication number of the design. The following result, given without proof, provides more information about the structure of a BIBD and defines how many blocks a BIBD must have.
An -BIBD has exactly
Continuing from Example 2.3, we compute the replication number τ and the number of blocks b for the BIBD.
Consider the -BIBD in Example 2.3. The replication number of the design is and contains blocks.
In , the concept of a repairable distribution design and a basic repairing set are introduced, which will be used later to construct RTSs. We define the concept here and continue our example.
A -distribution design is a design that satisfies the following two properties:
the union of any t blocks contain at least points,
the union of any blocks contains at most points,
where . The distribution design is repairable if every point in the distribution design occurs in at least two blocks.
The -BIBD in Example 2.3 is a -distribution design, as the union of any two blocks contains at least five points, and an individual block contains at most three points. As every point occurs in blocks, the distribution design is repairable.
Finally, we consider the definition of a basic repairing set.
A subset of y blocks contained in a -distribution design is a basic repairing set of size y if every point in the design is contained in at least two blocks of the subset.
Obviously, . The following theorem lower bounds y; the proof is very similar to the proof of Theorem 2.5.
A basic repairing set of a -distribution design, constructed from an -BIBD, has at least blocks.
Let be a basic repairing set of an -BIBD. Define a set
We will compute in two different ways. First, there are m ways to choose . For each y, there are at least two blocks A such that . Hence, . On the other hand, there are y ways to choose a block . For each choice of A, there are k ways to choose . Hence, . Combining these two equations, we see that
as required. ∎
We illustrate the concept of basic repairing sets for our ongoing example.
For the -BIBD in Example 2.3, we can calculate the lower bound on the basic repairing set to be . The set is a basic repairing set of minimal size.
2.2 Regenerating codes
Regenerating codes are a class of distributed storage codes introduced in 2010 by Dimakis, Godfrey, Wu, Wainwright and Ramchandran . Regenerating codes distribute data between nodes and guarantee recoverability of the data with the cooperation of a sufficient number of nodes, and regeneration of lost or corrupted shares. Regenerating codes optimally trade the bandwidth needed for the regeneration of a failed node with the amount of data stored per node in the network.
There are no security requirements for regenerating codes. However, there exists literature exploring how to secure them. Here, we present an introduction to regenerating codes followed by a discussion on securing them.
2.2.1 Introduction to regenerating codes
Regenerating codes, and the notation used to describe them as in , is as follows.
Let be a finite field, and let D denote the data to be distributed, where . Say B is the number of data symbols. Let . Consider a distributed storage system consisting of nnodes, each with the capacity to store α symbols in . Let such that . An -regenerating code distributes D amongst n nodes such that each node stores a share of the data, where each share consists of α elements in . The distribution should be:
recoverable, meaning that D can be recovered by any t of the n nodes,
repairable, meaning that any node can repair their share of the data by downloading β elements in from each of the d repairing nodes.
The following bound on the number of data symbols distributed by an - regenerating code is:
Using this bound, it can be deduced that, when and d are fixed, there is a trade-off between the size of the shares, α, and the bandwidth β required for repair. At one extreme of this trade-off we minimise β first and then α; this is the minimum bandwidth regenerating (MBR) condition. At the other extreme we minimise α and then β to get the minimum storage regenerating (MSR) condition.
This gives us the following parameters for the MBR condition:
At the MSR condition, the parameters are
Using these extreme condition, we can define MBR and MSR codes.
A minimum bandwidth regenerating (MBR) code is an -regenerating code with parameters satisfying the MBR conditions in (2.2) and (2.3). A minimum storage regenerating (MSR) code is an -regenerating code with parameters satisfying the MSR conditions in (2.4) and (2.5).
Since MBR codes achieve the minimum possible repair bandwidth, a replacement node downloads only what it stores, so . By substituting this into (2.1), we can see that an MBR code must satisfy
Similarly, MSR codes must satisfy and .
There exist several constructions in the literature for both MBR and MSR codes. A construction of MBR codes for all possible parameters and d is given in . Examples of constructions of MSR codes can be found for all parameters and d in [7, 19], and for in .
Let , and , meaning that any two of the five nodes can recover the data, and any node can regenerate their share with help from three other nodes. If we let , then (2.6) tells us the number of message symbols that can be distributed is . Let all computations be in the field with eleven elements, , and let
be the five message symbols to be distributed.
Dispersal. Use a (public) generator matrix Ψ, with properties discussed in , and a message matrix M to generate the code as follows:
Regeneration. Say node needs to regenerate their share. This can be done with help from any other nodes as follows. Assume nodes , and are the helper nodes. Let denote row i of Ψ. Each helper node must calculate the inner product : note that node knows as their share, and Ψ is a public matrix, so is also known. Therefore, the three helper nodes and each calculate the following, respectively:
Each helper node then sends this value to . So receives the triple . The regenerating node then calculates the repair matrix , consisting of the rows of Ψ related to the helper nodes, and calculates the inverse of . So, here, as and are helper nodes, consists of rows and 5 of Ψ, as follows:
Node then multiples with the triple received from the helper nodes:
and thus recovers their lost share.
Recover. Any players can recover the data . Assume nodes and collaborate to recover the data. Let be the data collector matrix, constructed from rows corresponding to player and . So
where the shares belonging to and are
We can use the properties of the message matrix M to observe that
which can be solved to give and . These can then be substituted into to give
which gives us four equations in three variables:
which can be solved to find and . Thus, all five data symbols have been recovered by the two nodes, and .
2.2.2 Securing regenerating codes
Securing regenerating codes was first explored in . We introduce the necessary definitions and notation in this subsection.
Consider an adversary who has access to (only) the data stored on nodes. In addition to these nodes, the adversary also has access to the data stored on, and all data downloaded during the regeneration of, nodes. Suppose and are such that . Call such an adversary an -adversary.
It is important to establish how many regenerations an adversary can witness because regenerating codes do not have any security requirements, so each regeneration may reveal information about the data stored.
In fact, each regeneration of an MBR code is secure. This is because , which means a regenerating node stores all data downloaded during a regeneration. Therefore, an eavesdropper does not obtain any extra information by having access to the data downloaded during a regeneration, as well as the data stored. Hence, when considering MBR codes, we can assume an -adversary is an -adversary.
In contrast, MSR codes typically have insecure regenerations. This is because , which means each regenerating node downloads more data during a regeneration than it ultimately stores, and thus an adversary would learn more information witnessing a regeneration than they would if they only had access to the data stored. This extra data learnt could leak information to the adversary about the secret. So, when discussing secure MSR codes, it is important to define how many regenerations an adversary can witness.
As a side note, a node for which an adversary has access to the data on, but cannot witness regenerate, could model the adversary gaining only momentary access. In contrast, a node for which an adversary has access to both the data on and the data downloaded during a regeneration, could model an adversary with long term access to the node.
Recall the data to be distributed in a regenerating code was denoted D such that . Let denote the data to be securely distributed via a regenerating code, and let . Say is the number of data symbols that can be (information theoretically) securely distributed. Note that and, in particular, is the cost of securing the data.
A secure -regenerating code is an -regenerating code that distributes secure data symbols such that an -adversary, for , learns no information about the secure data symbols.
We conclude this introduction to regenerating codes by stating two theorems, each providing tighter upper bounds on .
In  the authors consider a regenerating code where an adversary could witness the regeneration of every node they had access to, so .
Consider an -regenerating code with parameters α and β and a -adversary. The number of data symbols that can be information theoretically secured is
In , the authors consider the number of data symbols that can be securely distributed by an MSR code.
Consider an -MSR code with an -adversary. The number of data symbols that can be information theoretically secured is
3 A naïve solution and efficiency metrics
In this section, we present a naïve construction for an RTS that meets all the necessary requirements. We then introduce the metrics used to measure the efficiency of an RTS; most are metrics discussed in , but the measure of repairability is novel. These metrics will be used going forwards to analyse other RTS constructions.
3.1 Naïve solution
Consider Construction 3.1, which presents a naïve construction for a universally repairable -RTS.
Let s be the secret to be distributed. A -RTS is defined by the following three algorithms, Share, Recover and Repair.
Share: Distribute the secret s via a -threshold scheme (for example, Shamir’s threshold scheme from Definition 1.2), to give n shares . Distribute each share , for via a -threshold scheme, resulting in the shares , for . As their share, player receives the -tuple .
Recover: A set of players pool their shares. The elements for are input to the recover algorithm of the -threshold scheme. If at least t players input valid shares, s will be recovered.
Repair: If player needs to repair their share, they request help from a set A of at least d players, who will each send the element , for i such that . Player then recovers their share via the recover algorithm of the -threshold scheme.
Intuitively, Construction 3.1 shares a secret s via a -threshold scheme to give player their share of the secret, . In order to enable repairability, each share is then shared via a -threshold scheme to ensure d players can act as helping players. The scheme is secure as any players are unable to learn the secret due to the security of the -threshold scheme, and each repair is secure due to the security of each of the -threshold schemes.
3.2 Efficiency metrics
We are interested in the efficiency of an RTS and will consider the following metrics when analysing each scheme. The first metric, information rate, is a standard definition and was presented alongside the second metric in , whilst the third metric, repairability, is new.
Information rate. The first metric we consider is the information rate of the scheme, which is defined to be the ratio
where is the set of all possible shares and is the set of all possible secrets. Intuitively, this measures the amount of information each player is required to store compared to the size of the secret. The information rate is such that . Call an RTS with ideal.
Communication complexity. As defined in , the communication complexity is the sum of the sizes (i.e. the bit lengths) of all messages transmitted during the repair algorithm, divided by the size of the secret. The communication complexity measures the amount of bandwidth required for each execution of the repair algorithm. We denote the communication complexity by γ.
Repairability. We define the repairability of an RTS, denoted by κ, to be the number of d-subsets (of the players) that are able to help a repairing player repair their share, divided by the number of possible d-subsets (of the players). Note that , where if and only if the RTS has universal repairability, as in Definition 1.4.
Computational complexity. We briefly consider the computational complexity of the share, recover and repair algorithms of the RTS.
We will see that -RTSs find a compromise between these metrics and may prioritise one at the cost of the others. In particular, there appears to be an inverse relation between the information rate and communication complexity of many schemes we consider.
We now revisit Construction 3.1 and consider how efficient the scheme is using these metrics.
Consider the share, recover and repair algorithms defining a -RTS as in Construction 3.1. Assuming both underlying threshold schemes are ideal, each player is required to store n shares from the threshold scheme as their RTS share. Therefore, the information rate of the RTS is . An execution of the repair algorithm requires each of the d players to send one of their shares from the -threshold scheme, so . Finally, the scheme has universal repairability, since any d-subset of players can help a repairing player repair their scheme, hence .
We briefly note that the share algorithm of the RTS requires the dealer to run the share algorithm of the underlying -threshold scheme once and the share algorithm of the -threshold scheme n times. The repair algorithm requires to run the recover algorithm of the underlying -threshold scheme once, whilst the recover algorithm requires one run of the recover algorithm for the -threshold scheme. The exact complexity depends on the complexity of the chosen underlying threshold scheme.
4 Existing solutions
In this section, we consider three -RTSs presented in the literature. The first two schemes, outlined in Section 4.1.1 and 4.2, were presented in . The third scheme was presented in  and is introduced in Section 4.3.
4.1 The enrolment RTS
We introduce the enrolment RTS, which was originally proposed in . We then refine this scheme to achieve a lower communication and computational complexity. Finally, we show that the refined scheme achieves the optimal communication complexity for an ideal RTS.
4.1.1 Definition of the enrolment RTS
A -RTS with constructed from the NSG enrolment protocol [11, 10] is presented in . (In fact, a scheme equivalent to the NSG enrolment protocol was presented much earlier by Benaloh in .) We refer to the -RTS as the enrolment RTS.
Assume there exists a -threshold scheme defined over , with shares distributed amongst n players. The share and recover algorithms of the enrolment RTS are identical to the share and recover algorithms in Shamir’s threshold scheme, as in  and defined here in Definition 1.2. The repair algorithm of the enrolment RTS is as follows.
Suppose player wishes to repair their share. Without loss of generality, assume the helping players are players , with . Suppose the share for is , where is a random polynomial of degree at most whose constant term is the secret s. The share can be expressed as
where is the public Lagrange coefficients of . In order to repair ’s share, the protocol proceeds as follows.
For all , player computes random values for such that(4.2)
For all , , player transmits to using a secure channel.
For all , player computes(4.3)
For all , player transmits to player using a secure channel.
Player computes their share using the formula(4.4)
The enrolment protocol is proven to be secure in . The proof highlights two cases: the first considers a coalition of players in which the players are contained in and excludes . The second case considers a coalition of players which includes and players from . In either case, the coalition is unable to learn anything about a share and thus learns no information about the secret.
There are a number of observations to be made about the matrix E. The entry of E is the message player sends . From (4.2), we learn that the sum of the entries in the row of E is equal to . Also, from (4.3), the sum of the entries in the column is equal to . Finally, from (4.2), (4.3) and (4.4), the sum of all entries in E is equal to . Intuitively, player computes and sends all values in row i and receives all the values in column i.
4.1.2 Analysis of the enrolment RTS
We evaluate the efficiency of the enrolment RTS by considering the efficiency metrics presented in Section 3.2.
Each player is required to store only one share from Shamir’s threshold scheme. As this is an ideal threshold scheme, the enrolment RTS is ideal, and so . With respect to the information rate, the enrolment RTS is optimal.
Next, we consider the communication complexity of the scheme. Messages are only exchanged in Steps 2 and 4. In Step 4, each of the t helping players are required to send one message to each of the other helping players, which is a total of messages. During Step 4, each of the t helping players must send one message to the repairing player , which is an additional t messages. So, in total, the repair algorithm requires messages to be sent. As each message is the size of the share and therefore the size of the secret (as Shamir’s scheme is ideal), the communication complexity of the scheme is .
Inherited from Shamir’s threshold scheme, the enrolment RTS has universal repairability and thus .
Finally, we consider the computation required for the enrolment RTS. The share and recover algorithms of the enrolment RTS are identical to the share and recover algorithms of Shamir’s threshold scheme and therefore have the same complexity. In Step 1, the repair algorithm requires each of the t helping players to generate t random values and compute modular additions over . In Step 3, each player must again compute modular additions, and Step 5 requires the repairing player to compute modular additions. So, in total, each helping player must compute modular additions and the repairing player must compute additions. This is a total of modular additions.
4.1.3 Refining the enrolment RTS: The reduced enrolment RTS
We observe that not all messages in the share-exchange matrix E are necessary to enable to securely repair their share. The enrolment RTS can be refined to require fewer messages being sent, and therefore achieve a lower communication complexity, whilst maintaining the optimal information rate and the security of the enrolment RTS. In fact, we can reduce the number of messages sent so that player does not send a message if . We call the resulting scheme the reduced enrolment RTS. After presenting the refined scheme, the primary task is to prove it maintains the security of the enrolment RTS. The reduced enrolment RTS is as follows.
As before, let be the repairing player, and let be the helping players. Let be the share belonging to player , where is a random polynomial of degree at most whose constant term is the secret s. The share can be expressed as in (4.1). The reduced enrolment RTS can be executed as follows:
For all , player computes random values for such that
For all , , player transmits to using a secure channel.
For all , player computes
For all , player transmits to player using a secure channel.
Player computes their share using the formula
Verifying that player computes their share correctly is similar to the verification for the enrolment RTS, as in .
The reduced enrolment RTS is information theoretically secure against a coalition A of strictly fewer than t players.
Assume all players act honestly during the protocol.
First, we note that computing the secret, given shares, is equivalent to computing any additional share. This is easy to see, because any t shares allow the secret to be computed, and any shares along with the secret allow any other share to be computed (this is a well-known property of Shamir’s threshold scheme). As in the proof of the security of the enrolment RTS, there are two cases to consider:
Case 1: The coalition A consists of a subset of players in .
Case 2: The coalition A consists of along with a subset of players in .
We consider the share-exchange matrix of the reduced enrolment RTS. The matrix here is different to the share-exchange matrix of the enrolment RTS in (4.5), as player does not send player a message if . We can adapt E and enter a “0” into the matrix to denote no message being sent. This means values , if . This gives us the following message-exchange matrix:
As before, the sum of the entries in the row of is equal to , the sum of the entries of the column is equal to , and the sum of all the entries in is equal to .
Consider Case 1, where A consists of a subset of players in . Assume player is excluded from the coalition. Now, the coalition possess all entries in except for . The value is completely random, and knowing this value is equivalent to knowing , or the secret. In fact, in order for any information to be learnt, we can use the properties of to deduce the following equations that would need to be solved in order to learn anything about :
are all values known to the coalition.
This leads to the following system of equations:
However, the columns of the matrix on the left are linearly dependent, and thus it is possible to choose any arbitrary value for , which will then determine both and , and then . Therefore, in Case 1, the coalition learns no information about the individual shares or , and therefore learns no information about the secret being distributed.
Now, consider Case 2, where A consists of and a subset of players in . Assume players and are omitted from the coalition, where . In this case, the coalition knows all entries in except and . Note that player does not send a message to ; this is known by the coalition and so they know that . For the coalition, learning and is equivalent to learning or .
As the values and are known. This knowledge allows the coalition to compute , as
Now, the coalition are left to try to compute and . Note that the sum of the these two values are known, but neither value is individually known. The following equations can be formed
are all known. This leads to the following system of equations, where all values in the right-hand side vector are known:
As before, the columns in the matrix on the left are linearly dependent, and thus it is possible to choose an arbitrary value for one of or , which will determine the other (as the sum of or is known), which will then, in turn, determine values for and . Similarly, we could choose arbitrary values for and which would determine and .
In either Case 1 or 2, the coalition A of players would be unable to learn any information about any additional share, and thus would learn no information about the secret. ∎
The reduced enrolment RTS maintains the information rate of the enrolment RTS, , yet manages to achieve a lower communication complexity, . The reduced enrolment RTS is also universally repairable, so, as with the enrolment RTS, . Finally, the reduced enrolment RTS has the same share and recover algorithms as the enrolment RTS, and thus has the same computational complexity for these algorithms. However, due to the reduced number of random messages generated by the helping players and the reduced number of messages sent, the repair algorithm is more efficient. Player , for must generate i random values, rather than t, and must compute modular additions, rather than . As in the enrolment RTS, must still compute additions. Therefore, the reduced enrolment protocol requires a total of modular additions, rather than the additions required in the enrolment RTS.
From the analysis, we can observe that the reduced enrolment RTS maintains or improves on all the efficiency metrics and is thus a more efficient RTS than the enrolment RTS presented in  and here in Section 4.1.1.
4.1.4 Optimal communication complexity of the reduced enrolment RTS
As we have reduced the communication complexity of the enrolment RTS, it is a natural question to ask whether it could be reduced any further. We show here that the communication complexity for not only the enrolment RTS, but for any scheme securely computing the sum of shares, is in fact lower bounded by . Thus, in this respect, the reduced enrolment RTS is optimal.
The reduced enrolment RTS is in the setting in which t players wish for an external player to (privately) compute the sum of their t shares. Any set of at most of the players (including the external player ) must learn no information about either one of the player’s values, or the sum of the shares. In other words, the coalition must be prevented from learning all the inputs to the sum and the output.
All known private protocols, including the reduced enrolment RTS, are oblivious protocols. That is, the decision whether player sends a message to in round h is determined by and h, and does not depend on the input and random coins. By assuming a private protocol, we are able to prove the lower bound on the communication complexity whilst making fewer assumptions on the protocol, such as the number of rounds required and the exact number of messages each player either sends or receives.
We prove a lower bound on the number of messages required by any oblivious protocol allowing a player to compute the sum of t player’s values such that the protocol is t-private, meaning any subset of at most players is unable to learn all inputs and the output.
Note that the proof of Theorem 4.2 proves the same result as in . However, the proof in  considers a setting where the sum of the shares is computed by a player who also contributes an input and all players learn the output. Their proof does not immediately apply to our slightly different setting, where an external player with no input is must compute the sum and the output is known only to this external player. As well as achieving slightly different goals, the protocol presented here is executed in two rounds, rather than t rounds (as is achieved in ).
The lower bound on the number of messages required to be sent by any oblivious protocol that allows a player to compute the sum of t player’s values, such that the protocol is t-private, is
Consider a graph with vertices. Let each vertex , for , correspond to a share , and let the vertex correspond to the sum of the shares. Let the (undirected) edges of the graph correspond to inputs and outputs to the vertices. That is, an edge between vertices i and j means that either player sends player a value, or player sends a value, or both players send values. We claim that knowledge of all inputs and outputs to a vertex will uniquely define the share relating to this vertex. For the vertex computing the sum of the inputs, this is obvious. For the other t vertices, we observe that each of these vertices must communicate their share to the player, and by learning all inputs and outputs to the vertex, the share must be calculable, otherwise the player will not be able to use it as an input to the sum.
We will show that, in order to be secure, the graph must be complete. That is, there must be a total of edges.
For the graph to be complete, there must be t edges connected to every vertex, meaning the degree of any vertex v in the graph is t. We show that, if there exists a vertex with degree less than t, a coalition of vertices will be able to learn more information than they should.
To show this, consider a vertex of the graph, which has a degree of less than t. Specifically, let have degree . This means there exists no edge between and one other node, which we denote as . We do not need to specify whether either or are players with shares, or the player computing the sum; it does not matter. Now, consider a coalition of vertices A, which consists of all vertices excluding and . As there is no edge between and , all edges connected to these two vertices are also connected to vertices in A. Therefore A knows all inputs and outputs to both and and can thus determine the two vertices and (corresponding to either the shares or the sum). As A already knew the vertices included in the coalition, the additional information of and gives A knowledge of all t shares and the sum of all the shares.
Hence, if there exists a node with degree less than t, the scheme is insecure. Therefore, each node must have degree equal to at least t, meaning the minimum number of edges in the graph, and therefore the minimum number of messages sent during the protocol, is , as required. ∎
We have previously defined the reduced enrolment RTS which has a total of messages sent throughout. Thus, the reduced enrolment RTS is one construction that meets the lower bound for the communication complexity, and is thus optimal in this respect.
4.2 Combinatorial repairability
Also in , Stinson and Wei propose a way to construct -RTSs based on combinatorial designs. These schemes achieve a reasonably high (but not optimal) information rate, and a low communication complexity. However, these schemes only achieve restricted repairability, as in Definition 1.4.
We first present the construction of these schemes, then provide an example. We then analyse their efficiency; in particular, we apply our new metric measuring the repairability to these schemes.
4.2.1 Definition of scheme
The share algorithm is as follows. Suppose there exists an -BIBD with b blocks, as in Definition 2.2, which is also a repairable -distribution design, as in Definition 2.7. Now, use an -ramp scheme defined over (for ) and call the shares output by the ramp scheme sub-shares. Let , where the lower bound originates from the minimal size of the basic repairing set in (2.10) and b is the number of blocks in the BIBD. In , they construct a -RTS with restricted repairability by allocating sub-shares from the ramp scheme to n players, as defined in the distribution design. Each block in the design represents a player, and each point represents a sub-share. The recover algorithm requires t players to pool their shares and recover the shared secret via the recover algorithm of the -ramp scheme. For the repair algorithm, a repairing player must be sent d sub-shares from d players who each store one of ’s sub-shares.
We will refer to schemes constructed in this manner as combinatorial RTSs. We illustrate this construction via an example.
The share algorithm of a -RTS is as follows. Consider the -BIBD, which is a repairable -distribution design, used throughout the examples in Section 2.1. This design consists of twelve blocks; note that and so n has been chosen to be maximal. Also consider a -ramp scheme over and, for convenience, label the nine shares output from the ramp scheme . Using the -repairable distribution design and the -ramp scheme, construct a -RTS with restricted repairability by allocating sub-shares from the ramp scheme to the twelve players defined by the design, as follows:
To recover the secret, any two players can pool their shares, which will consist of at least five distinct sub-shares from the -ramp scheme, and recover the distributed secret via the recover algorithm of the ramp scheme. Say player needs to repair their share. They can have assistance from players and , who would each send the sub-shares and 8, respectively.
In their paper, Stinson and Wei propose a number of combinatorial RTSs relying on a range of designs. They give some specific parameters for the underlying designs and the resulting RTS.
Note that these RTS schemes are secure due to the underlying properties on the -ramp scheme and the -distribution design: a coalition of t players will learn at most sub-shares output by the ramp scheme and will therefore learn no information about the secret.
4.2.2 Analysis of combinatorial RTSs
A theorem in  states the information rate and communication complexity of combinatorial RTSs. Assume there exists an -BIBD, which is a repairable -distribution design with b blocks that contains a basic repairing set of size y, and suppose that . Let . Then there exists a -RTS with restricted repairability that has information rate , and communication complexity , where every share is in .
Before calculating the repairability of the scheme, we note one disadvantage of the combinatorial RTSs that arises from the necessary condition in the aforementioned theorem: a -RTS can only be constructed if there exists an -BIBD which is also a repairable -distribution design on m points with n blocks of size d. This is not true for all possible parameters and n, and so this construction may not be able to build an RTS with the desired parameters.
So, we are left to calculate the repairability κ of the combinatorial RTSs and analyse the computational complexity.
Combinatorial RTSs only have restricted repairability, so not all d-subsets of players will have the information required to help a repairing player reconstruct their share. The probability that a randomly chosen set of d players can help a repairing player repair their share is described in Theorem 4.4.
A randomly chosen subset of d players in a -RTS, constructed using an underlying -BIBD with players, has probability
of successfully repairing the share of a player , where τ is the replication number of the BIBD, as defined in Theorem 2.4.
Assume an -BIBD which is also a repairable -distribution design on m points with n blocks of size d. Say player wishes to repair their share, which consists of d sub-shares. There are a potential players that could play the role of helping nodes and assist in reconstructing their share. As d of these players are required to repair ’s share, there are a total of d-subsets that could collaborate to help . Now, we have to calculate how many of the d-subsets have the information required to repair ’s share. Because of the properties of the underlying -BIBD, each sub-share occurs in exactly τ blocks, where τ is the replication number of the BIBD, calculated here as . Therefore, excluding ’s share, each sub-share is contained in of the players’ shares. Now, as each pair of sub-shares occurs in one player’s share, each of the d helping players must send exactly one sub-share. There are players who could contribute to recovering ’s first sub-share, then a distinct group of players who could contribute to recovering ’s second sub-share, and so on, until the sub-share. Therefore, there are d-subsets that collectively hold the information required to help recover their share. Therefore, κ is given by dividing the number of d-subsets that could successfully act as helping players, , by the total number of possible d-subsets, , as required. ∎
We illustrate this proof by continuing Example 4.3.
Consider the -RTS in Example 4.3, constructed from an underlying -BIBD. The replication number of the BIBD is . Each player has sub-shares and each sub-share is stored by players, excluding the repairing player. So, there are three players that can send the repairing player the first sub-share, three other players that can send the second sub-share and three other players that can send the final sub-share. This means there are sets of three players, out of the possible 3-subsets, that have the information required to repair ’s share. So
So, any randomly chosen set of players will have a chance of having the information required to help the repairing player. To further illustrate this, assume is the repairing player. There are 27 sets of players that can help repair ’s share, including and . There are now sets of three players that do not have the information required to help repair ’s share, including , who do not collectively know sub-shares 5 and 8, and , who do not know sub-share 8.
We make one final comment on the reparability of the combinatorial RTSs. In , it is not necessary to have the number of players in the scheme n to be equal to the number of blocks b. Instead, they bound n to be , where y is the size of the basic repairing set and b is the number of blocks in the design. If , the repairability of the scheme will vary depending on the number of players, and which players, are in the RTS.
Consider a -RTS constructed from the basic repairing set in Example 2.11. Assume wishes to repair their share. There are a possible subsets of the remaining five players that could act as helping players. Of these 10 subsets, only one set has the information required to repair ’s share. Therefore, . So, a randomly chosen set of three players will have a probability of being able to recover the repairing player’s share.
From now on, when computing the reparability of a combinatorial RTS, we assume the number of players is maximal, so . In Section 6.2, Table 2 shows the reparability (as well as the information rate and communication complexity) of each of the -RTSs proposed in .
We complete the analysis of the combinatorial RTSs by commenting on the complexity of each of the RTS algorithms. Once a -distribution design has been chosen, the RTS share algorithm requires one execution of the share algorithm of the ramp scheme. Similarly, the RTS recover algorithm requires one execution of the recover algorithm of the ramp scheme. The RTS repair algorithm requires no computation: helping players must send sub-shares to the repairing player, but no players are required to conduct any computation. In this respect, the repair algorithm is optimal.
4.3 GLF scheme
In , the authors (Guang, Lu and Fu) present an information theoretically secure -RTS which utilises MBR codes and linearised polynomials. Intuitively, they distribute a secret via a -threshold scheme using a random, linearised polynomial with the constant term equal to the secret, then the shares are treated as the message symbols in a -MBR code. Their scheme works for all parameters and d.
The GLF construction achieves an information rate of and a communication complexity of , where β is as defined by the MBR code. The GLF RTS is universally repairable and so .
The share algorithm of the GLF RTS requires the generation of a linearised polynomial and the evaluation of t points on this polynomial; this is followed by the computation of the necessary MBR code, where the shares are treated as message symbols. The GLF recover algorithm requires recovery of the message symbols via the MBR code, then recovering the linearised polynomial from the message symbols. The repair algorithm is identical to the regeneration of a node in the underlying MBR code.
We will see how, when considering secure regeneration codes in Section 5, MBR codes can be used to achieve schemes with a better information rate and communication complexity than is achieved by the GLF RTS.
5 Solutions using regenerating codes
Secure regenerating codes, defined in Definition 2.15, can be used directly to construct -RTSs. However, the work discussing secure regenerating codes has not been presented in the framework of threshold schemes and RTSs. In this section, we briefly explore the application of secure regenerating codes to RTSs and discuss relevant parameters. Following this, we present several constructions for secure regenerating codes.
5.1 Applying regenerating codes to RTSs
Now, we translate the language used in regenerating codes into that used by repairable threshold schemes. Each node is equivalent to a player, and the data stored by the node is the player’s share. A regenerating node is equivalent to a repairing player. The strongest adversary considered in an RTS is equivalent to an -adversary against a secure regenerating code, where and . So, if we wish to build a -RTS, we can trivially use an information theoretically secure -regenerating code.
In general, the information rate of a -RTS based on a regenerating code is
and the communication complexity is
As all regenerating codes have universal repairability, all -RTSs based on MBR codes have .
Note that, because for all MBR codes, the communication complexity and information rate of these schemes are reciprocals, as was noted in  when discussing the combinatorial RTSs.
5.1.1 Using MBR codes as RTSs
The first corollary considers the information rate of an RTS based on an MBR code.
A -RTS based on a secure -MBR code with a -adversary cannot be ideal.
The information rate of the RTS is calculated as . The scheme is ideal if , which is true if and only if . Now, substitute the MBR condition from (2.2) and (2.3) into the bound given in Theorem 2.16. This gives the maximum number of messages symbols that can be securely distributed by an MBR code (as in ) to be
By substituting in , we learn that . So, if and only if . But in all MBR codes, , and so . This is only true if . However, in the definition of threshold schemes, given in Definition 1.1, t is defined to be such that as, if , any individual player could recover the secret. Therefore, a -RTS constructed from a secure -MBR code cannot be ideal.∎
5.1.2 Using MSR codes as RTSs
The following two corollaries consider the limitations of RTSs based on MSR codes.
A -RTS based on an -MSR code cannot securely distribute any messages if .
Consider the bound given in Theorem 2.17. By setting , we can see immediately that . ∎
A -RTS based on an -MSR code with a -adversary cannot be ideal. In fact, if , the RTS can only be ideal against a -adversary.
Assume we have an optimal (in terms of ), secure -MSR code. The information rate of the -RTS based on this MSR code is
As we have assumed , we can substitute this into (5.2), so
For the -RTS to be ideal, ρ must equal 1. This is true if and only if , as required. ∎
In fact, (5.3) illustrates how the information rate of a -RTS based on an MSR code with an -adversary, such that , decreases as increases. This is because, as previously explained, the repair algorithm for MSR codes leaks information as . Because of this, MSR codes may not be the best way to construct RTSs as they achieve a small information rate when considering a maximal adversary with and .
Now, we consider secure regenerating codes as RTSs and analyse results.
5.2 Constructions of secure regenerating codes for RTSs
We consider three constructions for secure regenerating codes. The first of the three, , is a secure MBR code and can be constructed for all parameters such that . The next two constructions we consider, from  and , are secure MSR constructions and are for specified values of d.
5.2.1 Shah, Rashmi and Kumar’s secure MBR construction 
In , the authors (Shah, Rashmi and Kumar) present an information theoretically secure -MBR code based on a matrix product construction for MBR codes, presented in  and used in Example 2.14. Without loss of generality, they construct codes for the case where , and codes for any higher value of β can be obtained by a simple concatenation of the code with (this technique is called striping and is detailed in ). We call this construction the SRK-MBR construction.
The SRK-MBR construction achieves a secure code by replacing a carefully chosen set of message symbols with symbols which are chosen uniformly and independently at random from . If these random values are treated as message symbols, the secure regenerating code is identical to the standard regenerating code, and so distribution, recovery and repair are as in the regeneration code defined in . They prove the secure construction is information theoretically secure. The SRK-MBR scheme achieves the maximum bound for , as in Theorem 2.16, with .
Consider this secure -regenerating code as a -RTS, and consider a -adversary. As the repair algorithm of an MBR code is inherently secure, a -adversary is equivalent to a -adversary. We can substitute and into (5.1) to calculate
Now, as each player stores α elements in , where is as in (2.3), and as , the information rate and communication complexity metrics can be computed as follows:
As regenerating codes have universal repairability, for all secure regenerating codes treated as an RTS.
We present a brief example of this secure construction, which is a continuation from Example 2.14.
Consider the code in Example 2.14. The number of symbols that can be securely distributed via this -MBR code is . Replace and with random elements in the field, and let and be the secure message symbols to be distributed. This is then a secure -RTS against a -adversary and has information rate , communication complexity and repairability .
Finally, we briefly comment on the complexity of the scheme. All three algorithms, share, repair and recover, require all players to compute linear computations.
5.2.2 Rawat’s MSR construction 
In , Rawat proposes an information theoretically secure -MSR code for . The secure code is based on a construction for general MSR codes proposed in  which is valid for all parameters and d. Rawat’s MSR construction can be treated as a -RTS with a -adversary.
Rawat’s construction is optimal with respect to , as given in Theorem 2.17. Thus, by substituting in , the information rate of the scheme can be calculated as
To calculate the communication complexity, it is useful to calculate using the value for β and , given in the MSR trade-off condition. This gives that
where α is defined to be in the scheme. Then
Then the communication complexity of the scheme is
As before, . Also, as with other schemes based on regenerating codes, all three algorithms, share, repair and recover, require computations of linear combinations.
5.2.3 Shah, Rashmi and Kumar’s secure MSR construction 
In , the authors present a secure -RTS based on MSR codes, for . We call this the SRK-MSR construction. SRK-MSR is similar to SRK-MBR and is also based on the constructions given in , which are suitable for when (they say the schemes can be extended so via shortening), and thus the SRK-MBR is also for parameters . As in SRK-MBR, SRK-MSR consists of replacing a carefully selected subset of the message symbols with random values.
The SRK-MSR scheme is able to distribute messages securely. The authors claim their scheme is optimal when , but say it is unknown whether it is optimal when . We answer here that the MSR scheme is optimal if or 1, but is not optimal for .
The -RTS constructed from the SRK-MSR construction presented in  is optimal with respect to the number of messages that can be securely distributed, , if . If , the construction is not optimal with respect to .
Denote the number of message symbols the SRK-MSR construction in  can securely distribute as
Then we can compare this to the bound for all MSR codes given in Theorem 2.17. If we divide both values by , we can see that
with an equality when equals either zero or one, but strictly greater than when , as required. ∎
Consider the SRK-MSR construction as a -RTS with a -adversary. We can substitute and into the MSR condition to give that and , so . Now, we can calculate, . Therefore the SRK-MSR construction cannot be used to securely distribute any symbols when a -adversary is considered.
6 Comparison of techniques
In this section, we compare the RTS constructions introduced throughout. We begin by comparing MBR and MSR based schemes. Then, we compare schemes that prioritise communication complexity above information rate, followed by schemes prioritising information rate.
6.1 Comparing MBR and MSR codes
Here, we highlight some similarities and differences between -RTSs that are constructions of secure MBR and MSR codes.
Firstly, all -RTSs based on either MBR or MSR codes have universal repairability, so , always.
However, there are a number of major differences. Note that MBR codes prioritise bandwidth and thus the -RTSs based on them achieve a lower communication complexity than schemes based on MSR codes. In contrast, MSR codes prioritise storage and thus the -RTSs based on MSR codes generally achieve higher information rates. However, secure MSR codes cannot be ideal RTSs unless , meaning the adversary witnesses no regenerations, which may be unrealistic in the RTS setting.
Importantly, the repair algorithm for RTSs based on MBR codes is secure: the adversary is able to witness any number of regenerations and no information will be learnt. However, crucially, the repair algorithm for RTSs based on MSR codes is insecure: with each distinct regeneration, the adversary learns more information. Thus, the number of regenerations the adversary can witness affects the number of message symbols that can be securely distributed; the more regenerations witnessed, the fewer message symbols can be secured. In settings where , which is what is considered here for an RTS, MSR codes may not be very useful.
Finally, secure MBR based -RTSs exist for all valid parameters and d. In the current literature, there does not appear to be any secure construction based on MSR codes for all valid parameters, and a secure construction for is impossible.
Thus, between MBR based and MSR based RTSs, MBR based schemes appear to be the most applicable to RTSs, mainly because of the secure repair algorithm. In particular, the secure MBR construction presented in  appears to be the most applicable construction from the field of regenerating codes. This is because it achieves the upper bound for the value of and is therefore optimal and the repair algorithm is secure, meaning the adversary can witness multiple repairs.
Table 1 compares the information rate and communication complexity for all universally repairable schemes considered for an example set of parameters. Due to the restrictions of the repairing degree d for the secure MSR constructions, the table considers the metrics for a -RTS using the SRK-MBR , Rawat , SRK-MSR  and GLF  constructions. The metrics for a -RTS from the enrolment and reduced enrolment RTSs are also included. It is possible to see from Table 1 that, out of all RTSs based on regenerating codes, the SRK-MBR construction achieves the best information rate and the best communication complexity for the given parameters.
6.2 Comparison of techniques prioritising communication complexity
Both secure MBR schemes and combinatorial RTSs prioritise communication complexity over information rate. Here, we compare the SRK-MBR construction with the combinatorial RTSs given in .
Table 2 shows how the combinatorial RTSs in  compare to those based on secure MBR codes in  for certain parameters. The comparison shows the information rate ρ, communication complexity γ and repairability κ (assuming n is maximal for the combinatorial schemes), with bold rows showing the RTSs with different ρ and γ. The chosen parameters relate to proposed combinatorial RTSs in ; note that MBR schemes exist for all valid parameters of and d, but the combinatorial RTSs rely on the existence of an underlying design with relevant parameters.
|Combinatorial schemes ||MBR schemes |
From Table 2, we can see the schemes achieve equal information rate and communication complexities in most cases. In some cases, which are in bold, the SRK-MBR scheme achieves a better information rate and a better communication complexity than the combinatorial RTSs. In no case do the combinatorial RTSs achieve better results than the SRK-MBR construction. In fact, when the concept of restricted repairability was introduced in , it was suggested that compromising repairability may enable more efficient schemes. However, this appears to not be the case, at least so far.
As well as achieving similar or better values for ρ and γ in all defined parameters for t and d in , the SRK-MBR construction has two advantages over the combinatorial RTSs:
The MBR schemes in  achieve universal, rather than restricted, repairability.
The combinatorial RTSs in  depend on the existence of certain combinatorial constructions. This is in contrast to MBR schemes, which can be constructed for all valid parameters and d.
However, one advantage of the combinatorial RTSs in  is the computational complexity of repairing a share. In schemes based on either MBR or MSR codes, every repair requires helping nodes and the repairing node to execute linear computations. The combinatorial RTSs, in contrast to this, just require the helping nodes to send the repairing node a sub-share, with no computation being required for any of the players.
In conclusion, if communication complexity if a priority and if the player’s are able to compute linear combinations, RTSs based on MBR codes, such as those in  are likely to be preferable. If communication complexity is a priority but players are unable to run computations, the combinatorial schemes in  compromise repairability and, occasionally, information rate and bandwidth, in order to achieve a repair algorithm that requires no computations from any of the players involved.
6.3 Comparison of techniques prioritising information rate
Both schemes based on MSR codes and the enrolment (and reduced enrolment) RTS prioritise information rate and offer universal repairability.
However, because of the insecure repair protocol, secure MSR codes are unable to achieve an information rate as good as the reduced enrolment RTS. Therefore, if information rate is a priority, the reduced enrolment scheme appears to be the best candidate. However, despite the improvements made to the enrolment RTS, resulting in the reduced enrolment RTS, the communication complexity remains much higher than any of the other schemes.
In this paper, we have explored RTSs. We introduced a new metric for analysis, which we used when exploring existing RTS constructions. The three constructions we considered include the enrolment scheme from , which we refined to reduce the communication complexity, the combinatorial schemes from , which we used our new metric to analyse in more detail, and the GLF scheme in , which we later showed to be inefficient.
After exploring existing schemes, we studied applying the field of secure regenerating codes to RTSs. We discussed the two main types of regenerating codes, MBR and MSR codes, which result in RTSs prioritising either communication complexity or information rate, respectively. We discussed some immediate results of using these codes as RTSs, then explored constructions of both MBR and MSR codes and considered the resulting RTSs.
Finally, we compared the range of RTS constructions and discussed the results found. We concluded that, due to the insecure repair algorithm of MSR codes, MSR codes may not provide the best RTS schemes. We also concluded that the best candidate solution for an RTS prioritising communication complexity is an optimal MBR. In particular, the SRK-MBR construction  is one such scheme and manages to achieve information rates at least as good as the combinatorial schemes in , whilst maintaining universal repairability. The best candidate solution for an RTS prioritising information rate appears to be our refined version of the enrolment scheme, originally presented as an RTS in  and refined here in Section 4.1.3.
Funding source: Canadian Network for Research and Innovation in Machining Technology, Natural Sciences and Engineering Research Council of Canada
Award Identifier / Grant number: RGPIN-03882
Funding statement: Research supported by NSERC discovery grant RGPIN-03882.
 J. C. Benaloh, Secret sharing homomorphisms: Keeping shares of a secret secret, Advances in Cryptology – CRYPTO’ 86, Lecture Notes in Comput. Sci. 263 Springer, Berlin (1986), 251–260. Search in Google Scholar
 G. R. Blakley, Safeguarding cryptographic keys, Proceedings of the National Computer Conference – AFIPS, Texas A&M University, College Station (1979), 313–317. Search in Google Scholar
 G. R. Blakley and G. Kabatianski, Ideal perfect threshold schemes and MDS codes, Proceedings of IEEE International Symposium on Information Theory, IEEE, Piscataway (1995), 488–488. Search in Google Scholar
 A. Dimakis, P. Godfrey, Y. Wu, M. Wainwright and K. Ramchandran, Network coding for distributed storage systems, IEEE Trans. Inform. Theory 56 (2010), no. 9, 4539–4551. 10.1109/TIT.2010.2054295 Search in Google Scholar
 S. Goparaju, S. El Rouayheb, R. Calderbank and H. Poor, Data secrecy in distributed storage systems under exact repair, Proceedings of International Symposium on Network Coding – NetCod, IEEE, Piscataway (2013), 1–6. Search in Google Scholar
 S. Goparaju, A. Fazeli and A. Vardy, Minimum storage regenerating codes for all parameters, Proceedings of IEEE International Symposium on Information Theory – ISIT IEEE, Piscataway (2016), 76–80. Search in Google Scholar
 X. Guang, J. Lu and F. Fu, Repairable threshold secret sharing schemes, preprint (2014), https://arxiv.org/abs/1410.7190. Search in Google Scholar
 M. Nojoumian, Novel secret sharing and commitment schemes for cryptographic applications, Ph.D. thesis, University of Waterloo, 2012. Search in Google Scholar
 S. Pawar, S. El Rouayheb and K. Ramchandran, On secure distributed data storage under repair dynamics, Proceedings of the IEEE Symposium on Information Theory Proceedings – ISIT, IEEE, Piscataway (2010), 2543–2547. Search in Google Scholar
 K. Rashmi, N. Shah and P. Kumar, Optimal exact-regenerating codes for distributed storage at the MSR and MBR points via a product-matrix construction, IEEE Trans. Inform. Theory 57 (2011), no. 8, 5227–5239. 10.1109/TIT.2011.2159049 Search in Google Scholar
 A. Rawat, A note on secure minimum storage regenerating codes, preprint (2016), https://arxiv.org/abs/1608.01732. Search in Google Scholar
 N. Shah, K. Rashmi and P. V. Kumar, Information-theoretically secure regenerating codes for distributed storage, Proceedings of IEEE Global Telecommunications Conference – GLOBECOM, IEEE, Piscataway (2011), 1–5. Search in Google Scholar
 D. Stinson, Combinatorial Designs: Constructions and Analysis, Springer, New York, 2004. Search in Google Scholar
 D. Stinson and R. Wei, Combinatorial repairability for threshold schemes, Des. Codes Cryptogr. 86 (2017), no. 1, 1–16. Search in Google Scholar
 M. Ye and A. Barg, Explicit constructions of high-rate MDS array codes with optimal repair bandwidth, IEEE Trans. Inform. Theory 63 (2017), no. 4, 2001–2014. 10.1109/TIT.2017.2661313 Search in Google Scholar
© 2018 Walter de Gruyter GmbH, Berlin/Boston
This article is distributed under the terms of the Creative Commons Attribution Non-Commercial License, which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited.