HTML5 Webook

29/84

ally a much longer length, needs to be divided into pieces of -bit block, say l pieces; ||| . e data owner sets a -bit password P, which should have sucient entropy against an online dictionary attack, then computes a message authentication code, , which is denoted as , and nally adds it to the data for later purpose of message au-thentication.(1-2) For each data block, data shares 1 , 2 , 3 , 4 are created for storage server 1, 2, 3, and 4, respectively, by using polynomial of degree at most 2, where . Password shares 1 , 2 , 3 , 4 are created by using polynomial P of degree at most 1.(1-3) ey are then sent to the corresponding storage serv-ers.(1-4) Each server stores the set of shares.(2) Pre-computation and communication phase(2-1) Each server generates a random number, denoted as Rj for the j-th storage server, and makes its shares 1,2,3,4 by using polynomial of degree at most 1. Furthermore, each server generates shares of the “0” 1,2,3,4 by using polynomial of degree at most 2, such that 00 should hold so as to keep conden-tiality of the share in the data reconstruction phase without changing the value of the data share.(2-2) e storage servers send these shares to each other.(2-3) Each server receives three shares of three random numbers and three shares of the “0,” and stores them together with the ones produced by itself. For ITS, the above procedure has to be iterated l+1 times before each data reconstruction of blocks of secret data. at is, j-th storage server has to keep sets of ,,,,,,, .(3) Data reconstruction phase Let be the password in the data owner’s memory.(3-1) e data owner chooses three storage servers among the four. We may assume that they are storage server 1, 2, and 3 without loss of generality, denote them as a set L={1, 2, 3}.(3-2) e data owner generates shares of , 1 , 2 , 3 by using polynomial of degree at most 1.(3-3) Each set (L, ) is sent to each corresponding storage server (request).(3-4) If || , the request is rejected regarding it as an improper request. Otherwise, for each data block, each server, say j-th one, computes R , and (3) e ( ) are then sent to the data owner (response). Here, note that R and Z should be discarded at each request-response for ITS.(3-5) For each data block, the data owner nds polyno-mial of degree 2 that satises for all j. 0 is the reconstructed block.FiF2　Schematic diagram of password secret sharing protocol253-2 Information Theoretically Secure Distributed Storage with QKD and Password-Authenticated Secret Sharing