In this introduction, we review basic facts about threshold schemes and repairability, we summarise our contributions and we outline the organisation of the paper.
1.1 Threshold schemes
We briefly introduce threshold schemes, then discuss the notation of share repairability in threshold schemes.
Suppose t and n are positive integers such that
- •recoverability: any subset of t players can compute the secret from the shares they collectively hold,
- •secrecy: no subset of fewer than t players can determine any information about the secret.
A threshold scheme consists of two algorithms: a share algorithm run by the dealer that receives as input the secret s and outputs n shares, and a recover algorithm, which receives as input at least t distinct, valid shares from the players and outputs the secret.
All threshold schemes we consider here are unconditionally secure, meaning all security results are valid against adversaries with unlimited computational power. Such schemes were introduced independently by Blakley and Shamir in 1979 [2, 16] and have been extensively studied since [3, 9].
The following construction is due to Shamir and yields a
- •Share: Select
values uniformly at random from , and let be the polynomial defined byWe give each player , for , the share .
- •Recover: A collection of t (or more) players perform polynomial interpolation on their shares in order to recover the polynomial f and hence determine the secret
Shamir’s scheme is recoverable, as any set of t players can recover the secret via interpolation. Shamir’s scheme also maintains secrecy, as for any set of
1.2 Share repairability
Consider a scenario in which a player in a
As before, let t and n be positive integers such that
We must define what it means for the repair algorithm to be secure. Assume a setting in which all players execute the repair algorithm correctly. Inherited from the security definition of a
We briefly note the bounds on the repairing degree d. First, consider the lower bound
Finally, we introduce a notion, defined in , regarding the repairability of an RTS. As motivation for this definition, we note that in Definition 1.3 not every d-subset of the
1.3 Our contributions
This paper aims to survey the currently fragmented field of repairable threshold schemes. We summarise the existing work and, where possible, enhance the schemes and conduct a more thorough analysis, then explore applying the rich field of secure regenerating codes to RTSs and find them to be immediately applicable. We then conduct a comparison between all known schemes, finding the best candidate solutions for RTSs with differing priorities. Besides unifying the current research, we highlight the following as explicit, novel contributions:
- •We introduce a new efficiency metric which measures the repairability of an RTS scheme. We use this metric to analyse existing RTSs, in particular, the combinatorial schemes presented in .
- •We enhance the enrolment scheme from  to achieve a smaller communication complexity whilst maintaining the information rate. We prove the minimality of the communication complexity.
- •We explore using secure regenerating codes as RTSs and present a number of implications on the resulting RTSs.
- •Based on our results, we propose the best candidate solutions for RTSs that prioritise either communication complexity or information rate.
In Section 2, the relevant notions and definitions are introduced. This includes necessary definitions from combinatorial design theory and an overview of regenerating codes. In Section 3 we present a naïve construction for an RTS and introduce the metrics used to measure the efficiency of an RTS. Following this, Section 4 introduces, refines and analyses all known RTS constructions. This includes the both enrolment and combinatorial schemes presented in  and the scheme presented in . In Section 5 we explore using regenerating codes as RTSs and find them to be immediately applicable. We then compare all the discussed RTS constructions in Section 6 and conclude in Section 7.
In this section, we present some core ideas in combinatorial design theory from  and regenerating codes that we will need later.
2.1 Combinatorial design theory
Combinatorial design theory deals with arranging elements into finite sets with certain properties.
A design is a pair
There is no restriction on the collection
The degree of a point
Balanced incomplete block designs are a widely studied type of design and are defined as follows:
- (ii)each block in
contains exactly k points,
- (iii)every pair of distinct points is contained in exactly λ blocks.
For convenience, blocks will be written in the form abc, rather than
Note that a BIBD is a regular, uniform, simple design.
The following theorem, presented without proof, shows the degree of every point x in a BIBD.
The value τ in Theorem 2.4 is called the replication number of the design. The following result, given without proof, provides more information about the structure of a BIBD and defines how many blocks a BIBD must have.
Continuing from Example 2.3, we compute the replication number τ and the number of blocks b for the BIBD.
In , the concept of a repairable distribution design and a basic repairing set are introduced, which will be used later to construct RTSs. We define the concept here and continue our example.
- (i)the union of any t blocks contain at least
- (ii)the union of any
blocks contains at most points,
Finally, we consider the definition of a basic repairing set.
A subset of y blocks contained in a
A basic repairing set of a
We will compute
as required. ∎
We illustrate the concept of basic repairing sets for our ongoing example.
2.2 Regenerating codes
Regenerating codes are a class of distributed storage codes introduced in 2010 by Dimakis, Godfrey, Wu, Wainwright and Ramchandran . Regenerating codes distribute data between nodes and guarantee recoverability of the data with the cooperation of a sufficient number of nodes, and regeneration of lost or corrupted shares. Regenerating codes optimally trade the bandwidth needed for the regeneration of a failed node with the amount of data stored per node in the network.
There are no security requirements for regenerating codes. However, there exists literature exploring how to secure them. Here, we present an introduction to regenerating codes followed by a discussion on securing them.
2.2.1 Introduction to regenerating codes
Regenerating codes, and the notation used to describe them as in , is as follows.
- •recoverable, meaning that D can be recovered by any t of the n nodes,
- •repairable, meaning that any node can repair their share of the data by downloading β elements in
from each of the d repairing nodes.
The following bound on the number of data symbols distributed by an
Using this bound, it can be deduced that, when
This gives us the following parameters for the MBR condition:
At the MSR condition, the parameters are
Using these extreme condition, we can define MBR and MSR codes.
A minimum bandwidth regenerating (MBR) code is an
Since MBR codes achieve the minimum possible repair bandwidth, a replacement node downloads only what it stores, so
Similarly, MSR codes must satisfy
There exist several constructions in the literature for both MBR and MSR codes. A construction of MBR codes for all possible parameters
be the five message symbols to be distributed.
Dispersal. Use a (public) generator matrix Ψ, with properties discussed in , and a message matrix M to generate the code
Regeneration. Say node
Each helper node then sends this value to
and thus recovers their lost share.
where the shares belonging to
We can use the properties of the message matrix M to observe that
which can be solved to give
which gives us four equations in three variables:
which can be solved to find
2.2.2 Securing regenerating codes
Securing regenerating codes was first explored in . We introduce the necessary definitions and notation in this subsection.
Consider an adversary who has access to (only) the data stored on
It is important to establish how many regenerations an adversary can witness because regenerating codes do not have any security requirements, so each regeneration may reveal information about the data stored.
In fact, each regeneration of an MBR code is secure. This is because
In contrast, MSR codes typically have insecure regenerations. This is because
As a side note, a node for which an adversary has access to the data on, but cannot witness regenerate, could model the adversary gaining only momentary access. In contrast, a node for which an adversary has access to both the data on and the data downloaded during a regeneration, could model an adversary with long term access to the node.
Recall the data to be distributed in a regenerating code was denoted D such that
We conclude this introduction to regenerating codes by stating two theorems, each providing tighter upper bounds on
In  the authors consider a regenerating code where an adversary could witness the regeneration of every node they had access to, so
In , the authors consider the number of data symbols that can be securely distributed by an MSR code.
3 A naïve solution and efficiency metrics
In this section, we present a naïve construction for an RTS that meets all the necessary requirements. We then introduce the metrics used to measure the efficiency of an RTS; most are metrics discussed in , but the measure of repairability is novel. These metrics will be used going forwards to analyse other RTS constructions.
3.1 Naïve solution
Consider Construction 3.1, which presents a naïve construction for a universally repairable
Let s be the secret to be distributed. A
- •Share: Distribute the secret s via a
-threshold scheme (for example, Shamir’s threshold scheme from Definition 1.2), to give n shares . Distribute each share , for via a -threshold scheme, resulting in the shares , for . As their share, player receives the -tuple .
- •Recover: A set of players pool their shares. The elements
for are input to the recover algorithm of the -threshold scheme. If at least t players input valid shares, s will be recovered.
- •Repair: If player
needs to repair their share, they request help from a set A of at least d players, who will each send the element , for i such that . Player then recovers their share via the recover algorithm of the -threshold scheme.
Intuitively, Construction 3.1 shares a secret s via a
3.2 Efficiency metrics
We are interested in the efficiency of an RTS and will consider the following metrics when analysing each scheme. The first metric, information rate, is a standard definition and was presented alongside the second metric in , whilst the third metric, repairability, is new.
- (i)Information rate. The first metric we consider is the information rate of the scheme, which is defined to be the ratiowhere
is the set of all possible shares and is the set of all possible secrets. Intuitively, this measures the amount of information each player is required to store compared to the size of the secret. The information rate is such that . Call an RTS with ideal.
- (ii)Communication complexity. As defined in , the communication complexity is the sum of the sizes (i.e. the bit lengths) of all messages transmitted during the repair algorithm, divided by the size of the secret. The communication complexity measures the amount of bandwidth required for each execution of the repair algorithm. We denote the communication complexity by γ.
- (iii)Repairability. We define the repairability of an RTS, denoted by κ, to be the number of d-subsets (of the
players) that are able to help a repairing player repair their share, divided by the number of possible d-subsets (of the players). Note that , where if and only if the RTS has universal repairability, as in Definition 1.4.
- (iv)Computational complexity. We briefly consider the computational complexity of the share, recover and repair algorithms of the RTS.
We will see that
We now revisit Construction 3.1 and consider how efficient the scheme is using these metrics.
Consider the share, recover and repair algorithms defining a
We briefly note that the share algorithm of the RTS requires the dealer to run the share algorithm of the underlying
4 Existing solutions
In this section, we consider three
4.1 The enrolment RTS
We introduce the enrolment RTS, which was originally proposed in . We then refine this scheme to achieve a lower communication and computational complexity. Finally, we show that the refined scheme achieves the optimal communication complexity for an ideal RTS.
4.1.1 Definition of the enrolment RTS
Assume there exists a
- (i)For all
, player computes random values for such that
- (ii)For all
, , player transmits to using a secure channel.
- (iii)For all
, player computes
- (iv)For all
, player transmits to player using a secure channel.
computes their share using the formula
The enrolment protocol is proven to be secure in . The proof highlights two cases: the first considers a coalition of
There are a number of observations to be made about the matrix E. The
4.1.2 Analysis of the enrolment RTS
We evaluate the efficiency of the enrolment RTS by considering the efficiency metrics presented in Section 3.2.
Each player is required to store only one share from Shamir’s threshold scheme. As this is an ideal threshold scheme, the enrolment RTS is ideal, and so
Next, we consider the communication complexity of the scheme. Messages are only exchanged in Steps 2 and 4. In Step 4, each of the t helping players are required to send one message to each of the other
Inherited from Shamir’s threshold scheme, the enrolment RTS has universal repairability and thus
Finally, we consider the computation required for the enrolment RTS. The share and recover algorithms of the enrolment RTS are identical to the share and recover algorithms of Shamir’s threshold scheme and therefore have the same complexity. In Step 1, the repair algorithm requires each of the t helping players to generate t random values and compute
4.1.3 Refining the enrolment RTS: The reduced enrolment RTS
We observe that not all messages in the share-exchange matrix E are necessary to enable
As before, let
- (i)For all
, player computes random values for such that
- (ii)For all
, , player transmits to using a secure channel.
- (iii)For all
, player computes
- (iv)For all
, player transmits to player using a secure channel.
computes their share using the formula
Verifying that player
The reduced enrolment RTS is information theoretically secure against a coalition A of strictly fewer than t players.
Assume all players act honestly during the protocol.
First, we note that computing the secret, given
- •Case 1: The coalition A consists of a subset of
players in .
- •Case 2: The coalition A consists of
along with a subset of players in .
We consider the share-exchange matrix of the reduced enrolment RTS. The matrix here is different to the share-exchange matrix of the enrolment RTS in (4.5), as player
As before, the sum of the entries in the
Consider Case 1, where A consists of a subset of
are all values known to the coalition.
This leads to the following system of equations:
However, the columns of the matrix on the left are linearly dependent, and thus it is possible to choose any arbitrary value for
Now, consider Case 2, where A consists of
Now, the coalition are left to try to compute
are all known. This leads to the following system of equations, where all values in the right-hand side vector are known:
As before, the columns in the matrix on the left are linearly dependent, and thus it is possible to choose an arbitrary value for one of
In either Case 1 or 2, the coalition A of
The reduced enrolment RTS maintains the information rate of the enrolment RTS,
From the analysis, we can observe that the reduced enrolment RTS maintains or improves on all the efficiency metrics and is thus a more efficient RTS than the enrolment RTS presented in  and here in Section 4.1.1.
4.1.4 Optimal communication complexity of the reduced enrolment RTS
As we have reduced the communication complexity of the enrolment RTS, it is a natural question to ask whether it could be reduced any further. We show here that the communication complexity for not only the enrolment RTS, but for any scheme securely computing the sum of shares, is in fact lower bounded by
The reduced enrolment RTS is in the setting in which t players wish for an external player to (privately) compute the sum of their t shares. Any set of at most
All known private protocols, including the reduced enrolment RTS, are oblivious protocols. That is, the decision whether player
We prove a lower bound on the number of messages required by any oblivious protocol allowing a
Note that the proof of Theorem 4.2 proves the same result as in . However, the proof in  considers a setting where the sum of the shares is computed by a player who also contributes an input and all players learn the output. Their proof does not immediately apply to our slightly different setting, where an external player with no input is must compute the sum and the output is known only to this external player. As well as achieving slightly different goals, the protocol presented here is executed in two rounds, rather than t rounds (as is achieved in ).
The lower bound on the number of messages required to be sent by any oblivious protocol that allows a
Consider a graph with
We will show that, in order to be secure, the graph must be complete. That is, there must be a total of
For the graph to be complete, there must be t edges connected to every vertex, meaning the degree of any vertex v in the graph is t. We show that, if there exists a vertex with degree less than t, a coalition of
To show this, consider a vertex of the graph,
Hence, if there exists a node with degree less than t, the scheme is insecure. Therefore, each node must have degree equal to at least t, meaning the minimum number of edges in the graph, and therefore the minimum number of messages sent during the protocol, is
We have previously defined the reduced enrolment RTS which has a total of
4.2 Combinatorial repairability
Also in , Stinson and Wei propose a way to construct
We first present the construction of these schemes, then provide an example. We then analyse their efficiency; in particular, we apply our new metric measuring the repairability to these schemes.
4.2.1 Definition of scheme
The share algorithm is as follows. Suppose there exists an
We will refer to schemes constructed in this manner as combinatorial RTSs. We illustrate this construction via an example.
The share algorithm of a
To recover the secret, any two players can pool their shares, which will consist of at least five distinct sub-shares from the
In their paper, Stinson and Wei propose a number of combinatorial RTSs relying on a range of designs. They give some specific parameters for the underlying designs and the resulting RTS.
Note that these RTS schemes are secure due to the underlying properties on the
4.2.2 Analysis of combinatorial RTSs
A theorem in  states the information rate and communication complexity of combinatorial RTSs. Assume there exists an
Before calculating the repairability of the scheme, we note one disadvantage of the combinatorial RTSs that arises from the necessary condition in the aforementioned theorem: a
So, we are left to calculate the repairability κ of the combinatorial RTSs and analyse the computational complexity.
Combinatorial RTSs only have restricted repairability, so not all d-subsets of players will have the information required to help a repairing player reconstruct their share. The probability that a randomly chosen set of d players can help a repairing player repair their share is described in Theorem 4.4.
A randomly chosen subset of d players in a
of successfully repairing the share of a player
We illustrate this proof by continuing Example 4.3.
So, any randomly chosen set of
We make one final comment on the reparability of the combinatorial RTSs. In , it is not necessary to have the number of players in the scheme n to be equal to the number of blocks b. Instead, they bound n to be
From now on, when computing the reparability of a combinatorial RTS, we assume the number of players is maximal, so
We complete the analysis of the combinatorial RTSs by commenting on the complexity of each of the RTS algorithms. Once a
4.3 GLF scheme
In , the authors (Guang, Lu and Fu) present an information theoretically secure
The GLF construction achieves an information rate of
The share algorithm of the GLF RTS requires the generation of a linearised polynomial and the evaluation of t points on this polynomial; this is followed by the computation of the necessary MBR code, where the shares are treated as message symbols. The GLF recover algorithm requires recovery of the message symbols via the MBR code, then recovering the linearised polynomial from the message symbols. The repair algorithm is identical to the regeneration of a node in the underlying MBR code.
We will see how, when considering secure regeneration codes in Section 5, MBR codes can be used to achieve schemes with a better information rate and communication complexity than is achieved by the GLF RTS.
5 Solutions using regenerating codes
Secure regenerating codes, defined in Definition 2.15, can be used directly to construct
5.1 Applying regenerating codes to RTSs
Now, we translate the language used in regenerating codes into that used by repairable threshold schemes. Each node is equivalent to a player, and the data stored by the node is the player’s share. A regenerating node is equivalent to a repairing player. The strongest adversary considered in an RTS is equivalent to an
In general, the information rate of a
and the communication complexity is
As all regenerating codes have universal repairability, all
Note that, because
5.1.1 Using MBR codes as RTSs
The first corollary considers the information rate of an RTS based on an MBR code.
The information rate of the RTS is calculated as
By substituting in
5.1.2 Using MSR codes as RTSs
The following two corollaries consider the limitations of RTSs based on MSR codes.
Consider the bound given in Theorem 2.17. By setting
Assume we have an optimal (in terms of
As we have assumed
In fact, (5.3) illustrates how the information rate of a
Now, we consider secure regenerating codes as RTSs and analyse results.
5.2 Constructions of secure regenerating codes for RTSs
We consider three constructions for secure regenerating codes. The first of the three, , is a secure MBR code and can be constructed for all parameters
5.2.1 Shah, Rashmi and Kumar’s secure MBR construction 
In , the authors (Shah, Rashmi and Kumar) present an information theoretically secure
The SRK-MBR construction achieves a secure code by replacing a carefully chosen set of
Consider this secure
Now, as each player stores α elements in
As regenerating codes have universal repairability,
We present a brief example of this secure construction, which is a continuation from Example 2.14.
Consider the code in Example 2.14. The number of symbols that can be securely distributed via this
Finally, we briefly comment on the complexity of the scheme. All three algorithms, share, repair and recover, require all players to compute linear computations.
5.2.2 Rawat’s MSR construction 
In , Rawat proposes an information theoretically secure
Rawat’s construction is optimal with respect to
To calculate the communication complexity, it is useful to calculate
where α is defined to be
Then the communication complexity of the scheme is
5.2.3 Shah, Rashmi and Kumar’s secure MSR construction 
In , the authors present a secure
The SRK-MSR scheme is able to distribute
Denote the number of message symbols the SRK-MSR construction in  can securely distribute as
Then we can compare this to the bound
with an equality when
Consider the SRK-MSR construction as a
6 Comparison of techniques
In this section, we compare the RTS constructions introduced throughout. We begin by comparing MBR and MSR based schemes. Then, we compare schemes that prioritise communication complexity above information rate, followed by schemes prioritising information rate.
6.1 Comparing MBR and MSR codes
Here, we highlight some similarities and differences between
However, there are a number of major differences. Note that MBR codes prioritise bandwidth and thus the
Importantly, the repair algorithm for RTSs based on MBR codes is secure: the adversary is able to witness any number of regenerations and no information will be learnt. However, crucially, the repair algorithm for RTSs based on MSR codes is insecure: with each distinct regeneration, the adversary learns more information. Thus, the number of regenerations the adversary can witness affects the number of message symbols that can be securely distributed; the more regenerations witnessed, the fewer message symbols can be secured. In settings where
Finally, secure MBR based
Thus, between MBR based and MSR based RTSs, MBR based schemes appear to be the most applicable to RTSs, mainly because of the secure repair algorithm. In particular, the secure MBR construction presented in  appears to be the most applicable construction from the field of regenerating codes. This is because it achieves the upper bound for the value of
Table 1 compares the information rate and communication complexity for all universally repairable schemes considered for an example set of parameters. Due to the restrictions of the repairing degree d for the secure MSR constructions, the table considers the metrics for a
6.2 Comparison of techniques prioritising communication complexity
Both secure MBR schemes and combinatorial RTSs prioritise communication complexity over information rate. Here, we compare the SRK-MBR construction with the combinatorial RTSs given in .
Table 2 shows how the combinatorial RTSs in  compare to those based on secure MBR codes in  for certain parameters. The comparison shows the information rate ρ, communication complexity γ and repairability κ (assuming n is maximal for the combinatorial schemes), with bold rows showing the RTSs with different ρ and γ. The chosen parameters relate to proposed combinatorial RTSs in ; note that MBR schemes exist for all valid parameters of
|Combinatorial schemes ||MBR schemes |
From Table 2, we can see the schemes achieve equal information rate and communication complexities in most cases. In some cases, which are in bold, the SRK-MBR scheme achieves a better information rate and a better communication complexity than the combinatorial RTSs. In no case do the combinatorial RTSs achieve better results than the SRK-MBR construction. In fact, when the concept of restricted repairability was introduced in , it was suggested that compromising repairability may enable more efficient schemes. However, this appears to not be the case, at least so far.
As well as achieving similar or better values for ρ and γ in all defined parameters for t and d in , the SRK-MBR construction has two advantages over the combinatorial RTSs:
- (i)The MBR schemes in  achieve universal, rather than restricted, repairability.
- (ii)The combinatorial RTSs in  depend on the existence of certain combinatorial constructions. This is in contrast to MBR schemes, which can be constructed for all valid parameters
However, one advantage of the combinatorial RTSs in  is the computational complexity of repairing a share. In schemes based on either MBR or MSR codes, every repair requires helping nodes and the repairing node to execute linear computations. The combinatorial RTSs, in contrast to this, just require the helping nodes to send the repairing node a sub-share, with no computation being required for any of the players.
In conclusion, if communication complexity if a priority and if the player’s are able to compute linear combinations, RTSs based on MBR codes, such as those in  are likely to be preferable. If communication complexity is a priority but players are unable to run computations, the combinatorial schemes in  compromise repairability and, occasionally, information rate and bandwidth, in order to achieve a repair algorithm that requires no computations from any of the players involved.
6.3 Comparison of techniques prioritising information rate
Both schemes based on MSR codes and the enrolment (and reduced enrolment) RTS prioritise information rate and offer universal repairability.
However, because of the insecure repair protocol, secure MSR codes are unable to achieve an information rate as good as the reduced enrolment RTS. Therefore, if information rate is a priority, the reduced enrolment scheme appears to be the best candidate. However, despite the improvements made to the enrolment RTS, resulting in the reduced enrolment RTS, the communication complexity remains much higher than any of the other schemes.
In this paper, we have explored RTSs. We introduced a new metric for analysis, which we used when exploring existing RTS constructions. The three constructions we considered include the enrolment scheme from , which we refined to reduce the communication complexity, the combinatorial schemes from , which we used our new metric to analyse in more detail, and the GLF scheme in , which we later showed to be inefficient.
After exploring existing schemes, we studied applying the field of secure regenerating codes to RTSs. We discussed the two main types of regenerating codes, MBR and MSR codes, which result in RTSs prioritising either communication complexity or information rate, respectively. We discussed some immediate results of using these codes as RTSs, then explored constructions of both MBR and MSR codes and considered the resulting RTSs.
Finally, we compared the range of RTS constructions and discussed the results found. We concluded that, due to the insecure repair algorithm of MSR codes, MSR codes may not provide the best RTS schemes. We also concluded that the best candidate solution for an RTS prioritising communication complexity is an optimal MBR. In particular, the SRK-MBR construction  is one such scheme and manages to achieve information rates at least as good as the combinatorial schemes in , whilst maintaining universal repairability. The best candidate solution for an RTS prioritising information rate appears to be our refined version of the enrolment scheme, originally presented as an RTS in  and refined here in Section 4.1.3.
J. C. Benaloh, Secret sharing homomorphisms: Keeping shares of a secret secret, Advances in Cryptology – CRYPTO’ 86, Lecture Notes in Comput. Sci. 263 Springer, Berlin (1986), 251–260.
G. R. Blakley, Safeguarding cryptographic keys, Proceedings of the National Computer Conference – AFIPS, Texas A&M University, College Station (1979), 313–317.
G. R. Blakley and G. Kabatianski, Ideal perfect threshold schemes and MDS codes, Proceedings of IEEE International Symposium on Information Theory, IEEE, Piscataway (1995), 488–488.
B. Chor and E. Kushilevitz, A communication-privacy tradeoff for modular addition, Inform. Process. Lett. 45 (1993), no. 4, 205–210.
A. Dimakis, P. Godfrey, Y. Wu, M. Wainwright and K. Ramchandran, Network coding for distributed storage systems, IEEE Trans. Inform. Theory 56 (2010), no. 9, 4539–4551.
S. Goparaju, S. El Rouayheb, R. Calderbank and H. Poor, Data secrecy in distributed storage systems under exact repair, Proceedings of International Symposium on Network Coding – NetCod, IEEE, Piscataway (2013), 1–6.
S. Goparaju, A. Fazeli and A. Vardy, Minimum storage regenerating codes for all parameters, Proceedings of IEEE International Symposium on Information Theory – ISIT IEEE, Piscataway (2016), 76–80.
X. Guang, J. Lu and F. Fu, Repairable threshold secret sharing schemes, preprint (2014), https://arxiv.org/abs/1410.7190.
E. D. Karnin, J. W. Greene and M. E. Hellman, On secret sharing systems, IEEE Trans. Inform. Theory 29 (1983), no. 1, 35–41.
M. Nojoumian, Novel secret sharing and commitment schemes for cryptographic applications, Ph.D. thesis, University of Waterloo, 2012.
M. Nojoumian, D. Stinson and M. Grainger, Unconditionally secure social secret sharing scheme, IET Inform. Secur. 4 (2010), no. 4, 202–211.
S. Pawar, S. El Rouayheb and K. Ramchandran, On secure distributed data storage under repair dynamics, Proceedings of the IEEE Symposium on Information Theory Proceedings – ISIT, IEEE, Piscataway (2010), 2543–2547.
K. Rashmi, N. Shah and P. Kumar, Optimal exact-regenerating codes for distributed storage at the MSR and MBR points via a product-matrix construction, IEEE Trans. Inform. Theory 57 (2011), no. 8, 5227–5239.
A. Rawat, A note on secure minimum storage regenerating codes, preprint (2016), https://arxiv.org/abs/1608.01732.
N. Shah, K. Rashmi and P. V. Kumar, Information-theoretically secure regenerating codes for distributed storage, Proceedings of IEEE Global Telecommunications Conference – GLOBECOM, IEEE, Piscataway (2011), 1–5.
D. Stinson, Combinatorial Designs: Constructions and Analysis, Springer, New York, 2004.
D. Stinson and R. Wei, Combinatorial repairability for threshold schemes, Des. Codes Cryptogr. 86 (2017), no. 1, 1–16.
M. Ye and A. Barg, Explicit constructions of high-rate MDS array codes with optimal repair bandwidth, IEEE Trans. Inform. Theory 63 (2017), no. 4, 2001–2014.