## 1 Introduction

In this introduction, we review basic facts about threshold schemes and repairability, we summarise our contributions and we outline the organisation of the paper.

### 1.1 Threshold schemes

We briefly introduce threshold schemes, then discuss the notation of share repairability in threshold schemes.

Suppose *t* and *n* are positive integers such that is a method in which a

*dealer*chooses a

*secret*

*s*and distributes a

*share*to each of the

*n*players

- •
*recoverability*: any subset of*t*players can compute the secret from the shares they collectively hold, - •
*secrecy*: no subset of fewer than*t*players can determine any information about the secret.

A threshold scheme consists of two algorithms: a *share* algorithm run by the dealer that receives as input the secret *s* and outputs *n* shares, and a *recover* algorithm, which receives as input at least *t* distinct, valid shares from the players and outputs the secret.

All threshold schemes we consider here are *unconditionally secure*, meaning all security results are valid against adversaries with unlimited computational power. Such schemes were introduced independently by Blakley and Shamir in 1979 [2, 16] and have been extensively studied since [3, 9].

The following construction is due to Shamir and yields a

Let *n* players, and let *p* elements,

- •
*Share*: Select values$t-1$ uniformly at random from${r}_{1},{r}_{2},\dots ,{r}_{t-1}$ , and let${\mathbb{Z}}_{p}$ be the polynomial defined by$f\in {\mathbb{Z}}_{p}\left[x\right]$ We give each player$f\left(x\right)={r}_{t-1}{x}^{t-1}+{r}_{t-2}{x}^{t-2}+\cdots +{r}_{1}x+s.$ , for${P}_{i}$ , the share$1\le i\le n$ .${v}_{i}=f\left(i\right)$ - •
*Recover*: A collection of*t*(or more) players perform polynomial interpolation on their shares in order to recover the polynomial*f*and hence determine the secret .$s=f\left(0\right)$

Shamir’s scheme is recoverable, as any set of *t* players can recover the secret via interpolation. Shamir’s scheme also maintains secrecy, as for any set of *s*.

### 1.2 Share repairability

Consider a scenario in which a player in a *repairing player*, could communicate with the dealer and request, then receive, a copy of their share. However, the dealer may not always be accessible when a player needs to repair their share. Ideally, in this dealer-less setting, the repairing player could ask for help from its cohort of players to repair its share. A scheme in which this is possible is called a *repairable threshold scheme* (RTS).

As before, let *t* and *n* be positive integers such that *d* the *repairing degree*. A , denoted

*repair*algorithm that allows a

*repairing player*

*d*players, called the

*helping players*.

We must define what it means for the repair algorithm to be secure. Assume a setting in which all players execute the repair algorithm correctly. Inherited from the security definition of a

We briefly note the bounds on the repairing degree *d*. First, consider the lower bound *t* players were able to construct a share for a player not in the coalition, then a coalition of *s* via the recover algorithm. This would contradict the privacy of the RTS, inherited from the threshold scheme, and would thus be insecure. The upper bound on the repairing degree is *n* players lost their share, there are at most *d*, as this allows repairability to be more robust. For example, if *d* is small, repairability would be possible even in a setting where several players are unavailable.

Finally, we introduce a notion, defined in [18], regarding the repairability of an RTS. As motivation for this definition, we note that in Definition 1.3 not every *d*-subset of the *d*-subset can help *d*-subsets, or some *d*-subsets, are able to help

A *universal repairability* if all *d*-subsets of the *restricted repairability* if some, but not all, *d*-subsets are able to repair

### 1.3 Our contributions

This paper aims to survey the currently fragmented field of repairable threshold schemes. We summarise the existing work and, where possible, enhance the schemes and conduct a more thorough analysis, then explore applying the rich field of secure regenerating codes to RTSs and find them to be immediately applicable. We then conduct a comparison between all known schemes, finding the best candidate solutions for RTSs with differing priorities. Besides unifying the current research, we highlight the following as explicit, novel contributions:

- •We introduce a new efficiency metric which measures the repairability of an RTS scheme. We use this metric to analyse existing RTSs, in particular, the combinatorial schemes presented in [18].
- •We enhance the enrolment scheme from [18] to achieve a smaller communication complexity whilst maintaining the information rate. We prove the minimality of the communication complexity.
- •We explore using secure regenerating codes as RTSs and present a number of implications on the resulting RTSs.
- •Based on our results, we propose the best candidate solutions for RTSs that prioritise either communication complexity or information rate.

### 1.4 Organisation

In Section 2, the relevant notions and definitions are introduced. This includes necessary definitions from combinatorial design theory and an overview of regenerating codes. In Section 3 we present a naïve construction for an RTS and introduce the metrics used to measure the efficiency of an RTS. Following this, Section 4 introduces, refines and analyses all known RTS constructions. This includes the both enrolment and combinatorial schemes presented in [18] and the scheme presented in [8]. In Section 5 we explore using regenerating codes as RTSs and find them to be immediately applicable. We then compare all the discussed RTS constructions in Section 6 and conclude in Section 7.

## 2 Preliminaries

In this section, we present some core ideas in combinatorial design theory from [17] and regenerating codes that we will need later.

### 2.1 Combinatorial design theory

Combinatorial design theory deals with arranging elements into finite sets with certain properties.

A *d*esign is a pair *X* is a set of elements, called *points*, and *blocks*, of *X*.

There is no restriction on the collection *simple*.

The *degree* of a point *x* occurs in. The design is called *regular* if all points have the same degree. The *rank*, *k*, of a design is the largest block in the collection *uniform*.

Balanced incomplete block designs are a widely studied type of design and are defined as follows:

A ,

- (i)
,$\left|X\right|=m$ - (ii)each block in
contains exactly$\mathcal{D}$ *k*points, - (iii)every pair of distinct points is contained in exactly λ blocks.

For convenience, blocks will be written in the form *abc*, rather than

Note that a BIBD is a regular, uniform, simple design.

The pair

The following theorem, presented without proof, shows the degree of every point *x* in a BIBD.

*In an *

*blocks.*

The value τ in Theorem 2.4 is called the *replication number* of the design. The following result, given without proof, provides more information about the structure of a BIBD and defines how many blocks a BIBD must have.

*An *

*blocks.*

Continuing from Example 2.3, we compute the replication number τ and the number of blocks *b* for the BIBD.

Consider the

In [18], the concept of a repairable distribution design and a basic repairing set are introduced, which will be used later to construct RTSs. We define the concept here and continue our example.

A is a design that satisfies the following two properties:

- (i)the union of any
*t*blocks contain at least points,${\ell}_{2}$ - (ii)the union of any
blocks contains at most$t-1$ points,${\ell}_{1}$

where *repairable* if every point in the distribution design occurs in at least two blocks.

The

Finally, we consider the definition of a basic repairing set.

A subset of *y* blocks contained in a *basic repairing set* of size *y* if every point in the design is contained in at least two blocks of the subset.

Obviously, *y*; the proof is very similar to the proof of Theorem 2.5.

*A basic repairing set of a *

Let

We will compute *m* ways to choose *y*, there are at least two blocks *A* such that *y* ways to choose a block *A*, there are *k* ways to choose

as required. ∎

We illustrate the concept of basic repairing sets for our ongoing example.

For the

### 2.2 Regenerating codes

Regenerating codes are a class of distributed storage codes introduced in 2010 by Dimakis, Godfrey, Wu, Wainwright and Ramchandran [5]. Regenerating codes distribute data between nodes and guarantee recoverability of the data with the cooperation of a sufficient number of nodes, and regeneration of lost or corrupted shares. Regenerating codes optimally trade the bandwidth needed for the regeneration of a failed node with the amount of data stored per node in the network.

There are no security requirements for regenerating codes. However, there exists literature exploring how to secure them. Here, we present an introduction to regenerating codes followed by a discussion on securing them.

### 2.2.1 Introduction to regenerating codes

Regenerating codes, and the notation used to describe them as in [5], is as follows.

Let *D* denote the data to be distributed, where *B* is the number of data symbols. Let *n**nodes*, each with the capacity to store α symbols in distributes

*D*amongst

*n*nodes such that each node stores a

*share*of the data, where each share consists of α elements in

- •
*recoverable*, meaning that*D*can be recovered by any*t*of the*n*nodes, - •
*repairable*, meaning that any node can repair their share of the data by downloading β elements in from each of the${\mathbb{F}}_{q}$ *d*repairing nodes.

The following bound on the number of data symbols distributed by an

Using this bound, it can be deduced that, when *d* are fixed, there is a trade-off between the size of the shares, α, and the bandwidth β required for repair. At one extreme of this trade-off we minimise β first and then α; this is the *minimum bandwidth regenerating (MBR) condition*. At the other extreme we minimise α and then β to get the *minimum storage regenerating (MSR) condition*.

This gives us the following parameters for the MBR condition:

At the MSR condition, the parameters are

Using these extreme condition, we can define MBR and MSR codes.

A *minimum bandwidth regenerating (MBR) code* is an *minimum storage regenerating (MSR) code* is an

Since MBR codes achieve the minimum possible repair bandwidth, a replacement node downloads only what it stores, so

Similarly, MSR codes must satisfy

There exist several constructions in the literature for both MBR and MSR codes. A construction of MBR codes for all possible parameters *d* is given in [13]. Examples of constructions of MSR codes can be found for all parameters *d* in [7, 19], and for

Example 2.14 shows a

Let

be the five message symbols to be distributed.

**Dispersal.** Use a (public) generator matrix Ψ, with properties discussed in [13], and a message matrix *M* to generate the code

Each node *i*, for *C*. Note that each row, and therefore each share, consists of

**Regeneration.** Say node *i* of Ψ. Each helper node

Each helper node then sends this value to

Node

and thus recovers their lost share.

**Recover.** Any

where the shares belonging to

We can use the properties of the message matrix *M* to observe that

which can be solved to give

which gives us four equations in three variables:

which can be solved to find

### 2.2.2 Securing regenerating codes

Securing regenerating codes was first explored in [12]. We introduce the necessary definitions and notation in this subsection.

Consider an adversary who has access to (only) the data stored on

It is important to establish how many regenerations an adversary can witness because regenerating codes do not have any security requirements, so each regeneration may reveal information about the data stored.

In fact, each regeneration of an MBR code is secure. This is because

In contrast, MSR codes typically have insecure regenerations. This is because

As a side note, a node for which an adversary has access to the data on, but cannot witness regenerate, could model the adversary gaining only momentary access. In contrast, a node for which an adversary has access to both the data on and the data downloaded during a regeneration, could model an adversary with long term access to the node.

Recall the data to be distributed in a regenerating code was denoted *D* such that

A *secure * is an

We conclude this introduction to regenerating codes by stating two theorems, each providing tighter upper bounds on

In [12] the authors consider a regenerating code where an adversary could witness the regeneration of every node they had access to, so

*Consider an *

In [6], the authors consider the number of data symbols that can be securely distributed by an MSR code.

*Consider an *

## 3 A naïve solution and efficiency metrics

In this section, we present a naïve construction for an RTS that meets all the necessary requirements. We then introduce the metrics used to measure the efficiency of an RTS; most are metrics discussed in [18], but the measure of repairability is novel. These metrics will be used going forwards to analyse other RTS constructions.

### 3.1 Naïve solution

Consider Construction 3.1, which presents a naïve construction for a universally repairable

Let *s* be the secret to be distributed. A

- •Share: Distribute the secret
*s*via a -threshold scheme (for example, Shamir’s threshold scheme from Definition 1.2), to give$(t,n)$ *n*shares . Distribute each share${v}_{1},\dots ,{v}_{n}$ , for${v}_{i}$ via a$1\le i\le n$ -threshold scheme, resulting in the shares$(d,n)$ , for${v}_{i,j}$ . As their share, player$1\le i,j\le n$ receives the${P}_{i}$ -tuple$\left(n+1\right)$ .${V}_{i}=({v}_{i},{v}_{1,i},{v}_{2,i},\dots ,{v}_{n,i})$ - •Recover: A set of players pool their shares. The elements
for${v}_{i}$ are input to the recover algorithm of the$1\le i\le n$ -threshold scheme. If at least$(t,n)$ *t*players input valid shares,*s*will be recovered. - •Repair: If player
needs to repair their share, they request help from a set${P}_{r}$ *A*of at least*d*players, who will each send the element${P}_{r}$ , for${v}_{i,r}$ *i*such that . Player${P}_{i}\in A$ then recovers their share via the recover algorithm of the${P}_{r}$ -threshold scheme.$(d,n)$

Intuitively, Construction 3.1 shares a secret *s* via a *d* players can act as helping players. The scheme is secure as any

### 3.2 Efficiency metrics

We are interested in the efficiency of an RTS and will consider the following metrics when analysing each scheme. The first metric, information rate, is a standard definition and was presented alongside the second metric in [18], whilst the third metric, repairability, is new.

- (i)
*Information rate*. The first metric we consider is the information rate of the scheme, which is defined to be the ratiowhere$\rho =\frac{{\mathrm{log}}_{2}\left|\mathcal{V}\right|}{{\mathrm{log}}_{2}\left|\mathcal{S}\right|},$ is the set of all possible shares and$\mathcal{V}$ is the set of all possible secrets. Intuitively, this measures the amount of information each player is required to store compared to the size of the secret. The information rate is such that$\mathcal{S}$ . Call an RTS with$0\le \rho \le 1$ $\rho =1$ *ideal*. - (ii)
*Communication complexity*. As defined in [18], the communication complexity is the sum of the sizes (i.e. the bit lengths) of all messages transmitted during the repair algorithm, divided by the size of the secret. The communication complexity measures the amount of bandwidth required for each execution of the repair algorithm. We denote the communication complexity by γ. - (iii)
*Repairability*. We define the*repairability*of an RTS, denoted by κ, to be the number of*d*-subsets (of the players) that are able to help a repairing player$n-1$ repair their share, divided by the number of possible${P}_{r}$ *d*-subsets (of the players). Note that$n-1$ , where$0\le \kappa \le 1$ if and only if the RTS has universal repairability, as in Definition 1.4.$\kappa =1$ - (iv)
*Computational complexity*. We briefly consider the computational complexity of the share, recover and repair algorithms of the RTS.

We will see that

We now revisit Construction 3.1 and consider how efficient the scheme is using these metrics.

Consider the share, recover and repair algorithms defining a *n* shares from the threshold scheme as their RTS share. Therefore, the information rate of the RTS is *d* players to send one of their shares from the *d*-subset of players can help a repairing player repair their scheme, hence

We briefly note that the share algorithm of the RTS requires the dealer to run the share algorithm of the underlying *n* times. The repair algorithm requires

## 4 Existing solutions

In this section, we consider three

### 4.1 The enrolment RTS

We introduce the enrolment RTS, which was originally proposed in [18]. We then refine this scheme to achieve a lower communication and computational complexity. Finally, we show that the refined scheme achieves the optimal communication complexity for an ideal RTS.

### 4.1.1 Definition of the enrolment RTS

A *enrolment RTS*.

Assume there exists a *n* players. The share and recover algorithms of the enrolment RTS are identical to the share and recover algorithms in Shamir’s threshold scheme, as in [16] and defined here in Definition 1.2. The repair algorithm of the enrolment RTS is as follows.

Suppose player *s*. The share

where

- (i)For all
, player$1\le i\le t$ computes random values${P}_{i}$ for${\delta}_{j,i}$ such that$1\le j\le t$ ${\zeta}_{i}{\phi}_{i}=\sum _{j=1}^{t}{\delta}_{j,i}.$ - (ii)For all
,$1\le i\le t$ , player$1\le j\le t$ transmits${P}_{i}$ to${\delta}_{j,i}$ using a secure channel.${P}_{j}$ - (iii)For all
, player$1\le j\le t$ computes${P}_{j}$ ${\sigma}_{j}=\sum _{i=1}^{t}{\delta}_{j,i}.$ - (iv)For all
, player$1\le j\le t$ transmits${P}_{j}$ to player${\sigma}_{j}$ using a secure channel.${P}_{r}$ - (v)Player
computes their share${P}_{r}$ using the formula${\phi}_{r}$ ${\phi}_{r}=\sum _{j=1}^{t}{\sigma}_{j}.$

It is straightforward to verify that player

The enrolment protocol is proven to be secure in [18]. The proof highlights two cases: the first considers a coalition of

In the proof, for convenience, they consider a *share-exchange matrix*, *E*, originally defined in [10]. We note this matrix here as it will be used to define a refined scheme in Section 4.1.3:

There are a number of observations to be made about the matrix *E*. The *E* is the message player *E* is equal to *E* is equal to *i* and receives all the values in column *i*.

### 4.1.2 Analysis of the enrolment RTS

We evaluate the efficiency of the enrolment RTS by considering the efficiency metrics presented in Section 3.2.

Each player is required to store only one share from Shamir’s threshold scheme. As this is an ideal threshold scheme, the enrolment RTS is ideal, and so

Next, we consider the communication complexity of the scheme. Messages are only exchanged in Steps 2 and 4. In Step 4, each of the *t* helping players are required to send one message to each of the other *t* helping players must send one message to the repairing player *t* messages. So, in total, the repair algorithm requires

Inherited from Shamir’s threshold scheme, the enrolment RTS has universal repairability and thus

Finally, we consider the computation required for the enrolment RTS. The share and recover algorithms of the enrolment RTS are identical to the share and recover algorithms of Shamir’s threshold scheme and therefore have the same complexity. In Step 1, the repair algorithm requires each of the *t* helping players to generate *t* random values and compute

### 4.1.3 Refining the enrolment RTS: The reduced enrolment RTS

We observe that not all messages in the share-exchange matrix *E* are necessary to enable

As before, let *s*. The share

- (i)For all
, player$1\le i\le t$ computes random values${P}_{i}$ for${\delta}_{j,i}$ such that$i\le j\le t$ ${\zeta}_{i}{\phi}_{i}=\sum _{j=i}^{t}{\delta}_{j,i}.$ - (ii)For all
,$1\le i\le t$ , player$i<j\le t$ transmits${P}_{i}$ to${\delta}_{j,i}$ using a secure channel.${P}_{j}$ - (iii)For all
, player$1\le j\le t$ computes${P}_{j}$ ${\sigma}_{j}=\sum _{i=j}^{t}{\delta}_{j,i}.$ - (iv)For all
, player$1\le j\le t$ transmits${P}_{j}$ to player${\sigma}_{j}$ using a secure channel.${P}_{r}$ - (v)Player
computes their share${P}_{r}$ using the formula${\phi}_{r}$ ${\phi}_{r}=\sum _{j=1}^{t}{\sigma}_{j}.$

Verifying that player

We show the reduced enrolment RTS is secure in Theorem 4.1. The proof is similar to the proof of the security of the enrolment RTS in [18].

*The reduced enrolment RTS is information theoretically secure against a coalition A of strictly fewer than t players.*

Assume all players act honestly during the protocol.

First, we note that computing the secret, given *t* shares allow the secret to be computed, and any

- •Case 1: The coalition
*A*consists of a subset of players in$t-1$ .$\{{P}_{1},\dots ,{P}_{t}\}$ - •Case 2: The coalition
*A*consists of along with a subset of${P}_{r}$ players in$t-2$ .$\{{P}_{1},\dots ,{P}_{t}\}$

We consider the share-exchange matrix of the reduced enrolment RTS. The matrix here is different to the share-exchange matrix of the enrolment RTS in (4.5), as player *E* and enter a “0” into the matrix to denote no message being sent. This means values

As before, the sum of the entries in the

Consider Case 1, where *A* consists of a subset of

where

are all values known to the coalition.

This leads to the following system of equations:

However, the columns of the matrix on the left are linearly dependent, and thus it is possible to choose any arbitrary value for

Now, consider Case 2, where *A* consists of

As

which implies

Now, the coalition are left to try to compute

where

are all known. This leads to the following system of equations, where all values in the right-hand side vector are known:

As before, the columns in the matrix on the left are linearly dependent, and thus it is possible to choose an arbitrary value for one of

In either Case 1 or 2, the coalition *A* of

The reduced enrolment RTS maintains the information rate of the enrolment RTS, *i* random values, rather than *t*, and must compute

From the analysis, we can observe that the reduced enrolment RTS maintains or improves on all the efficiency metrics and is thus a more efficient RTS than the enrolment RTS presented in [18] and here in Section 4.1.1.

### 4.1.4 Optimal communication complexity of the reduced enrolment RTS

As we have reduced the communication complexity of the enrolment RTS, it is a natural question to ask whether it could be reduced any further. We show here that the communication complexity for not only the enrolment RTS, but for any scheme securely computing the sum of shares, is in fact lower bounded by

The reduced enrolment RTS is in the setting in which *t* players wish for an external player to (privately) compute the sum of their *t* shares. Any set of at most

All known private protocols, including the reduced enrolment RTS, are *oblivious protocols*. That is, the decision whether player *h* is determined by *h*, and does not depend on the input and random coins. By assuming a private protocol, we are able to prove the lower bound on the communication complexity whilst making fewer assumptions on the protocol, such as the number of rounds required and the exact number of messages each player either sends or receives.

We prove a lower bound on the number of messages required by any oblivious protocol allowing a *t* player’s values such that the protocol is *t*-private, meaning any subset of at most

Note that the proof of Theorem 4.2 proves the same result as in [4]. However, the proof in [4] considers a setting where the sum of the shares is computed by a player who also contributes an input and all players learn the output. Their proof does not immediately apply to our slightly different setting, where an external player with no input is must compute the sum and the output is known only to this external player. As well as achieving slightly different goals, the protocol presented here is executed in two rounds, rather than *t* rounds (as is achieved in [4]).

*The lower bound on the number of messages required to be sent by any oblivious protocol that allows a *

Consider a graph with *i* and *j* means that either player *t* vertices, we observe that each of these vertices must communicate their share to the

We will show that, in order to be secure, the graph must be complete. That is, there must be a total of

For the graph to be complete, there must be *t* edges connected to every vertex, meaning the degree of any vertex *v* in the graph is *t*. We show that, if there exists a vertex with degree less than *t*, a coalition of

To show this, consider a vertex of the graph, *t*. Specifically, let *A*, which consists of all vertices excluding *A*. Therefore *A* knows all inputs and outputs to both *A* already knew the *A* knowledge of all *t* shares and the sum of all the shares.

Hence, if there exists a node with degree less than *t*, the scheme is insecure. Therefore, each node must have degree equal to at least *t*, meaning the minimum number of edges in the graph, and therefore the minimum number of messages sent during the protocol, is

We have previously defined the reduced enrolment RTS which has a total of

### 4.2 Combinatorial repairability

Also in [18], Stinson and Wei propose a way to construct

We first present the construction of these schemes, then provide an example. We then analyse their efficiency; in particular, we apply our new metric measuring the repairability to these schemes.

### 4.2.1 Definition of scheme

The share algorithm is as follows. Suppose there exists an *b* blocks, as in Definition 2.2, which is also a repairable *sub-shares*. Let *b* is the number of blocks in the BIBD. In [18], they construct a *n* players, as defined in the distribution design. Each block in the design represents a player, and each point represents a sub-share. The recover algorithm requires *t* players to pool their shares and recover the shared secret via the recover algorithm of the *d* sub-shares from *d* players who each store one of

We will refer to schemes constructed in this manner as combinatorial RTSs. We illustrate this construction via an example.

The share algorithm of a *n* has been chosen to be maximal. Also consider a

To recover the secret, any two players can pool their shares, which will consist of at least five distinct sub-shares from the

In their paper, Stinson and Wei propose a number of combinatorial RTSs relying on a range of designs. They give some specific parameters for the underlying designs and the resulting RTS.

Note that these RTS schemes are secure due to the underlying properties on the *t* players will learn at most

### 4.2.2 Analysis of combinatorial RTSs

A theorem in [18] states the information rate and communication complexity of combinatorial RTSs. Assume there exists an *b* blocks that contains a basic repairing set of size *y*, and suppose that

Before calculating the repairability of the scheme, we note one disadvantage of the combinatorial RTSs that arises from the necessary condition in the aforementioned theorem: a *m* points with *n* blocks of size *d*. This is not true for all possible parameters *n*, and so this construction may not be able to build an RTS with the desired parameters.

So, we are left to calculate the repairability κ of the combinatorial RTSs and analyse the computational complexity.

Combinatorial RTSs only have restricted repairability, so not all *d*-subsets of players will have the information required to help a repairing player reconstruct their share. The probability that a randomly chosen set of *d* players can help a repairing player repair their share is described in Theorem 4.4.

*A randomly chosen subset of d players in a *

*of successfully repairing the share of a player *

Assume an *m* points with *n* blocks of size *d*. Say player *d* sub-shares. There are a potential *d* of these players are required to repair *d*-subsets that could collaborate to help *d*-subsets have the information required to repair *d* helping players must send *d*-subsets that collectively hold the information required to help *d*-subsets that could successfully act as helping players, *d*-subsets,

We illustrate this proof by continuing Example 4.3.

Consider the

So, any randomly chosen set of

We make one final comment on the reparability of the combinatorial RTSs. In [18], it is not necessary to have the number of players in the scheme *n* to be equal to the number of blocks *b*. Instead, they bound *n* to be *y* is the size of the basic repairing set and *b* is the number of blocks in the design. If

Consider a

From now on, when computing the reparability of a combinatorial RTS, we assume the number of players is maximal, so

We complete the analysis of the combinatorial RTSs by commenting on the complexity of each of the RTS algorithms. Once a

### 4.3 GLF scheme

In [15], the authors (Guang, Lu and Fu) present an information theoretically secure *d*.

The GLF construction achieves an information rate of

The share algorithm of the GLF RTS requires the generation of a linearised polynomial and the evaluation of *t* points on this polynomial; this is followed by the computation of the necessary MBR code, where the shares are treated as message symbols. The GLF recover algorithm requires recovery of the message symbols via the MBR code, then recovering the linearised polynomial from the message symbols. The repair algorithm is identical to the regeneration of a node in the underlying MBR code.

We will see how, when considering secure regeneration codes in Section 5, MBR codes can be used to achieve schemes with a better information rate and communication complexity than is achieved by the GLF RTS.

## 5 Solutions using regenerating codes

Secure regenerating codes, defined in Definition 2.15, can be used directly to construct

### 5.1 Applying regenerating codes to RTSs

Now, we translate the language used in regenerating codes into that used by repairable threshold schemes. Each node is equivalent to a player, and the data stored by the node is the player’s share. A regenerating node is equivalent to a repairing player. The strongest adversary considered in an RTS is equivalent to an

In general, the information rate of a

and the communication complexity is

As all regenerating codes have universal repairability, all

Note that, because

Prior to considering constructions of secure regenerating codes, we consider implications of the bounds given in Theorems 2.16 and 2.17 when considered in the setting of RTSs.

### 5.1.1 Using MBR codes as RTSs

The first corollary considers the information rate of an RTS based on an MBR code.

*A *

The information rate of the RTS is calculated as

By substituting in *t* is defined to be such that

### 5.1.2 Using MSR codes as RTSs

The following two corollaries consider the limitations of RTSs based on MSR codes.

*A *

Consider the bound given in Theorem 2.17. By setting

*A *

Assume we have an optimal (in terms of

As we have assumed

For the

In fact, (5.3) illustrates how the information rate of a

Now, we consider secure regenerating codes as RTSs and analyse results.

### 5.2 Constructions of secure regenerating codes for RTSs

We consider three constructions for secure regenerating codes. The first of the three, [15], is a secure MBR code and can be constructed for all parameters *d*.

### 5.2.1 Shah, Rashmi and Kumar’s secure MBR construction [15]

In [15], the authors (Shah, Rashmi and Kumar) present an information theoretically secure *striping* and is detailed in [13]). We call this construction the SRK-MBR construction.

The SRK-MBR construction achieves a secure code by replacing a carefully chosen set of

Consider this secure

Now, as each player stores α elements in

As regenerating codes have universal repairability,

We present a brief example of this secure construction, which is a continuation from Example 2.14.

Consider the code in Example 2.14. The number of symbols that can be securely distributed via this

Finally, we briefly comment on the complexity of the scheme. All three algorithms, share, repair and recover, require all players to compute linear computations.

### 5.2.2 Rawat’s MSR construction [14]

In [14], Rawat proposes an information theoretically secure *d*. Rawat’s MSR construction can be treated as a

Rawat’s construction is optimal with respect to

To calculate the communication complexity, it is useful to calculate

where α is defined to be

Then the communication complexity of the scheme is

As before,

### 5.2.3 Shah, Rashmi and Kumar’s secure MSR construction [15]

In [15], the authors present a secure

The SRK-MSR scheme is able to distribute

*The *

Denote the number of message symbols the SRK-MSR construction in [15] can securely distribute as

We can substitute in the values for

Then we can compare this to the bound

with an equality when

Consider the SRK-MSR construction as a

## 6 Comparison of techniques

In this section, we compare the RTS constructions introduced throughout. We begin by comparing MBR and MSR based schemes. Then, we compare schemes that prioritise communication complexity above information rate, followed by schemes prioritising information rate.

### 6.1 Comparing MBR and MSR codes

Here, we highlight some similarities and differences between

Firstly, all

However, there are a number of major differences. Note that MBR codes prioritise bandwidth and thus the

Importantly, the repair algorithm for RTSs based on MBR codes is secure: the adversary is able to witness any number of regenerations and no information will be learnt. However, crucially, the repair algorithm for RTSs based on MSR codes is insecure: with each distinct regeneration, the adversary learns more information. Thus, the number of regenerations the adversary can witness affects the number of message symbols that can be securely distributed; the more regenerations witnessed, the fewer message symbols can be secured. In settings where

Finally, secure MBR based *d*. In the current literature, there does not appear to be any secure construction based on MSR codes for all valid parameters, and a secure construction for

Thus, between MBR based and MSR based RTSs, MBR based schemes appear to be the most applicable to RTSs, mainly because of the secure repair algorithm. In particular, the secure MBR construction presented in [15] appears to be the most applicable construction from the field of regenerating codes. This is because it achieves the upper bound for the value of

Table 1 compares the information rate and communication complexity for all universally repairable schemes considered for an example set of parameters. Due to the restrictions of the repairing degree *d* for the secure MSR constructions, the table considers the metrics for a

### 6.2 Comparison of techniques prioritising communication complexity

Both secure MBR schemes and combinatorial RTSs prioritise communication complexity over information rate. Here, we compare the SRK-MBR construction with the combinatorial RTSs given in [18].

Table 2 shows how the combinatorial RTSs in [18] compare to those based on secure MBR codes in [15] for certain parameters. The comparison shows the information rate ρ, communication complexity γ and repairability κ (assuming *n* is maximal for the combinatorial schemes), with bold rows showing the RTSs with different ρ and γ. The chosen parameters relate to proposed combinatorial RTSs in [18]; note that MBR schemes exist for all valid parameters of *d*, but the combinatorial RTSs rely on the existence of an underlying design with relevant parameters.

Comparison of

Combinatorial schemes [18] | MBR schemes [15] | |||||||

n | ρ | γ | κ | ρ | γ | κ | ||

0.1636 | 1 | |||||||

0.0361 | 1 | |||||||

0.0139 | 1 | |||||||

0.0060 | 1 | |||||||

0.0073 | 1 | |||||||

0.0019 | 1 | |||||||

0.0263 | 1 | |||||||

0.0263 | 1 | |||||||

0.0003 | 1 | |||||||

0.0003 | 1 | |||||||

0.0016 | 1 | |||||||

0.0016 | 1 | |||||||

4 | 0.0016 | 1 | ||||||

0.0136 | 1 | |||||||

2 | 0.0136 | 2 | 1 | |||||

0.0660 | 1 | |||||||

0.0660 | 1 | |||||||

5 | 0.0660 | 1 | ||||||

0.0263 | 1 | |||||||

0.0263 | 1 | |||||||

3 | 0.0263 | 2 | 1 |

From Table 2, we can see the schemes achieve equal information rate and communication complexities in most cases. In some cases, which are in bold, the SRK-MBR scheme achieves a better information rate and a better communication complexity than the combinatorial RTSs. In no case do the combinatorial RTSs achieve better results than the SRK-MBR construction. In fact, when the concept of restricted repairability was introduced in [18], it was suggested that compromising repairability may enable more efficient schemes. However, this appears to not be the case, at least so far.

As well as achieving similar or better values for ρ and γ in all defined parameters for *t* and *d* in [18], the SRK-MBR construction has two advantages over the combinatorial RTSs:

- (i)The MBR schemes in [15] achieve universal, rather than restricted, repairability.
- (ii)The combinatorial RTSs in [18] depend on the existence of certain combinatorial constructions. This is in contrast to MBR schemes, which can be constructed for all valid parameters
and$n,t$ *d*.

However, one advantage of the combinatorial RTSs in [18] is the computational complexity of repairing a share. In schemes based on either MBR or MSR codes, every repair requires helping nodes and the repairing node to execute linear computations. The combinatorial RTSs, in contrast to this, just require the helping nodes to send the repairing node a sub-share, with no computation being required for any of the players.

In conclusion, if communication complexity if a priority and if the player’s are able to compute linear combinations, RTSs based on MBR codes, such as those in [15] are likely to be preferable. If communication complexity is a priority but players are unable to run computations, the combinatorial schemes in [18] compromise repairability and, occasionally, information rate and bandwidth, in order to achieve a repair algorithm that requires no computations from any of the players involved.

### 6.3 Comparison of techniques prioritising information rate

Both schemes based on MSR codes and the enrolment (and reduced enrolment) RTS prioritise information rate and offer universal repairability.

However, because of the insecure repair protocol, secure MSR codes are unable to achieve an information rate as good as the reduced enrolment RTS. Therefore, if information rate is a priority, the reduced enrolment scheme appears to be the best candidate. However, despite the improvements made to the enrolment RTS, resulting in the reduced enrolment RTS, the communication complexity remains much higher than any of the other schemes.

## 7 Conclusion

In this paper, we have explored RTSs. We introduced a new metric for analysis, which we used when exploring existing RTS constructions. The three constructions we considered include the enrolment scheme from [18], which we refined to reduce the communication complexity, the combinatorial schemes from [18], which we used our new metric to analyse in more detail, and the GLF scheme in [15], which we later showed to be inefficient.

After exploring existing schemes, we studied applying the field of secure regenerating codes to RTSs. We discussed the two main types of regenerating codes, MBR and MSR codes, which result in RTSs prioritising either communication complexity or information rate, respectively. We discussed some immediate results of using these codes as RTSs, then explored constructions of both MBR and MSR codes and considered the resulting RTSs.

Finally, we compared the range of RTS constructions and discussed the results found. We concluded that, due to the insecure repair algorithm of MSR codes, MSR codes may not provide the best RTS schemes. We also concluded that the best candidate solution for an RTS prioritising communication complexity is an optimal MBR. In particular, the SRK-MBR construction [15] is one such scheme and manages to achieve information rates at least as good as the combinatorial schemes in [18], whilst maintaining universal repairability. The best candidate solution for an RTS prioritising information rate appears to be our refined version of the enrolment scheme, originally presented as an RTS in [18] and refined here in Section 4.1.3.

## References

- [1]↑
J. C. Benaloh, Secret sharing homomorphisms: Keeping shares of a secret secret, Advances in Cryptology – CRYPTO’ 86, Lecture Notes in Comput. Sci. 263 Springer, Berlin (1986), 251–260.

- [2]↑
G. R. Blakley, Safeguarding cryptographic keys, Proceedings of the National Computer Conference – AFIPS, Texas A&M University, College Station (1979), 313–317.

- [3]↑
G. R. Blakley and G. Kabatianski, Ideal perfect threshold schemes and MDS codes, Proceedings of IEEE International Symposium on Information Theory, IEEE, Piscataway (1995), 488–488.

- [4]↑
B. Chor and E. Kushilevitz, A communication-privacy tradeoff for modular addition, Inform. Process. Lett. 45 (1993), no. 4, 205–210.

- [5]↑
A. Dimakis, P. Godfrey, Y. Wu, M. Wainwright and K. Ramchandran, Network coding for distributed storage systems, IEEE Trans. Inform. Theory 56 (2010), no. 9, 4539–4551.

- [6]↑
S. Goparaju, S. El Rouayheb, R. Calderbank and H. Poor, Data secrecy in distributed storage systems under exact repair, Proceedings of International Symposium on Network Coding – NetCod, IEEE, Piscataway (2013), 1–6.

- [7]↑
S. Goparaju, A. Fazeli and A. Vardy, Minimum storage regenerating codes for all parameters, Proceedings of IEEE International Symposium on Information Theory – ISIT IEEE, Piscataway (2016), 76–80.

- [8]↑
X. Guang, J. Lu and F. Fu, Repairable threshold secret sharing schemes, preprint (2014), https://arxiv.org/abs/1410.7190.

- [9]↑
E. D. Karnin, J. W. Greene and M. E. Hellman, On secret sharing systems, IEEE Trans. Inform. Theory 29 (1983), no. 1, 35–41.

- [10]↑
M. Nojoumian, Novel secret sharing and commitment schemes for cryptographic applications, Ph.D. thesis, University of Waterloo, 2012.

- [11]↑
M. Nojoumian, D. Stinson and M. Grainger, Unconditionally secure social secret sharing scheme, IET Inform. Secur. 4 (2010), no. 4, 202–211.

- [12]↑
S. Pawar, S. El Rouayheb and K. Ramchandran, On secure distributed data storage under repair dynamics, Proceedings of the IEEE Symposium on Information Theory Proceedings – ISIT, IEEE, Piscataway (2010), 2543–2547.

- [13]↑
K. Rashmi, N. Shah and P. Kumar, Optimal exact-regenerating codes for distributed storage at the MSR and MBR points via a product-matrix construction, IEEE Trans. Inform. Theory 57 (2011), no. 8, 5227–5239.

- [14]↑
A. Rawat, A note on secure minimum storage regenerating codes, preprint (2016), https://arxiv.org/abs/1608.01732.

- [15]↑
N. Shah, K. Rashmi and P. V. Kumar, Information-theoretically secure regenerating codes for distributed storage, Proceedings of IEEE Global Telecommunications Conference – GLOBECOM, IEEE, Piscataway (2011), 1–5.

- [18]↑
D. Stinson and R. Wei, Combinatorial repairability for threshold schemes, Des. Codes Cryptogr. 86 (2017), no. 1, 1–16.

- [19]↑
M. Ye and A. Barg, Explicit constructions of high-rate MDS array codes with optimal repair bandwidth, IEEE Trans. Inform. Theory 63 (2017), no. 4, 2001–2014.