Online data storage using implicit security

Abhishek Parakh
*
, Subhash Kak
Computer Science Department, Oklahoma State University, Stillwater, OK 74075, USA
a r t i c l e i n f o
Article history:
Received 27 October 2008
Received in revised form 24 April 2009
Accepted 24 May 2009
Keywords:
Online data storage
Data partitioning
Implicit security architecture
a b s t r a c t
It is advantageous to use implicit security for online data storage in a cloud computing
environment. We describe the use of a data partitioning scheme for implementing such
security involving the roots of a polynomial in nite eld. The partitions are stored on ran-
domly chosen servers on the network and they need to be retrieved to recreate the original
data. Data reconstruction requires access to each server, login password and the knowledge
of the servers on which the partitions are stored. This scheme may also be used for data
security in sensor networks and internet voting protocols.
2009 Elsevier Inc. All rights reserved.
1. Introduction
Securing data stored on distributed servers is of fundamental importance in cloud computing. The traditional (explicit)
approach to securing data is to store and back it up on a single server and allow access upon the use of passwords that
are needed to be frequently changed. But there is a tendency among users to keep passwords simple and memorable
[11,21,23] leading to the possibility of brute force attacks. Furthermore since the data on the Web is archived, keys that pro-
vide adequate encryption today are likely to be broken in the future. Therefore, explicit security architecture may not be ade-
quate for many applications.
To go beyond the present approach, one may incorporate further security within the system by using puzzles [14] or
otherwise by another layer that increases the space that the intruder must search in order to break the system. Here, we
propose an implicit security architecture in which security is distributed amongst many entities. In contrast to hash-based
distributed security models for wireless sensor networks [2729,31,12], we consider a more general method of data parti-
tioning. In this approach, stored data is partitioned into two or more pieces and stored at randomly chosen places on the
network that are known only to the owner of the data. Access to these pieces not only depends on the knowledge of a pass-
word but also on the knowledge of where the pieces are stored. The division of data is performed in such a way that the
knowledge of all the pieces is required to recreate the data and that none of the individual pieces reveals any useful infor-
mation. In scenarios where one or more pieces may be at the danger of being lost or inaccessible due to system or network
failure, one may employ schemes that can recreate the data from a subset of original pieces. Formally, our scheme consists of
two parts the rst part is a k; k partitioning scheme where all the k partitions are required to recreate the data and the
second part extends the rst part of the scheme to a k; n partitioning scheme, where k 6 n and k P2, i.e. only k out of n
partitions are required to recreate the data.
A number of schemes have been proposed in the communications context for splitting and sharing of decryption keys
[25,8,22]. These schemes fall under the category of secret sharing schemes, where the decryption key is considered to
0020-0255/$ - see front matter 2009 Elsevier Inc. All rights reserved.
doi:10.1016/j.ins.2009.05.013
* Corresponding author. Tel.: +1 405 744 5740.
E-mail addresses: parakh@cs.okstate.edu (A. Parakh), subhashk@cs.okstate.edu (S. Kak).
Information Sciences 179 (2009) 33233331
Contents lists available at ScienceDirect
Information Sciences
j our nal homepage: www. el sevi er . com/ l ocat e/ i ns
be a secret. Motivated by the need to have an analog of the case where several ofcers must simultaneously use their keys
before a bank vault or a safe deposit box can be opened, these schemes do not consider the requirement of data protection
for a single party. Further, in any secret sharing scheme it is assumed that the encrypted data is stored in a secure place and
that none of it can be compromised without the decryption key. Some schemes that directly apply secret sharing for distrib-
uted data storage in sensor networks have been proposed [6,10,30], but have a complexity of Onlog
2
n at best, whereas our
scheme can achieve linear complexity. Other schemes aim at sharing multiple secrets [7] but have a complexity of On
2
or
generate group keys for group sharing of information [17]. Certain probability models have been proposed for reconstructing
secret sharing over the Internet [18], but only focus on strategies for share distribution over the network and do not provide
methods for data partitioning.
In this paper, we therefore protect data by distributing its parts over various servers. The idea of doing these partitions is a
generalization of the use of 3 or 9 roots of a number in a cubic transformation [15]. The scheme we present is simple and
easily implementable.
We would like to stress that the presented scheme is different from Shamirs secret sharing scheme [25] which takes the
advantage of polynomial interpolation and maps the secret on the y-axis; whereas we map the data as roots of a polynomial
on the x-axis.
A potential application of the idea of implicit security is in secure internet voting. Internet voting is an inherent part of the
online virtual worlds, such as Second Life, Active Worlds, Habbo Hotel, and others, and is only a few years away from large
scale real-world implementations [26,13]. These virtual worlds provide an excellent test-bed for online voting schemes,
which once successful may be used in real-world democratic process. To make use of the implicit security architecture in
online voting, the voters cast ballot is considered as his data and the partitions of this ballot may be stored on different serv-
ers for distributed security. Such a system will protect the intermediate election results from being revealed while distrib-
uting the security of the ballots over different servers [20].
2. Proposed data partitioning scheme
2.1. The k; k data partitioning scheme
We consider the model of Fig. 1 to illustrate the difference between explicit and implicit security. We need to partition
data and send it to randomly chosen servers. We now describe our data partitioning scheme.
By the fundamental theorem of algebra, every equation of degree k has k roots. We use this fact to partition data into k
partitions such that each of the partition is stored on a different server. No explicit encryption of data is required to secure
each partition. The partitions in themselves do not reveal any information and hence are implicitly secure. Only when all the
partitions are brought together is the data revealed.
Consider an equation of order k
x
k
a
k1
x
k1
a
k2
x
k2
a
1
x a
0
0 1
Eq. (1) has k roots denoted by fr
1
; r
2
; . . . ; r
k
g #fset of complex numbersg and can be rewritten as
x r
1
x r
2
x r
k
0 2
In cryptography, it is more convenient to use the nite eld Z
p
where p is a large prime. If we replace a
0
in (1) with the data
d 2 Z
p
that we wish to partition then,
x
k

k1
i1
a
ki
x
ki
d 0 mod p 3
where 0 6 a
i
6 p 1 and 0 6 d 6 p 1. (Note that one may alternatively use d in (3) instead of d.) This may be rewritten as
Fig. 1. Illustration of implicit and explicit security architectures.
3324 A. Parakh, S. Kak / Information Sciences 179 (2009) 33233331

k
i1
x r
i
0 mod p 4
where 1 6 r
i
6 p 1. The r
i
are the partitions (Fig. 2). It is clear that the term d in (3) is independent of variable x and
therefore

k
i1
r
i
d mod p 5
If we allow the coefcients in (3) to take values a
1
a
2
a
k1
0, then (3) will have k roots only if GCDp 1; k1 and
9b 2 Z
p
such that d is the kth power of b. One simple way to chose such a p would be to choose a prime of the form k s 1,
where s 2 N. However, such a choice would not provide good security because knowledge of the number of roots and one of
the partitions would be sufcient to recreate the original data by computing the kth power of that partition. Furthermore,
not all values of d will have a kth root and hence one cannot use any arbitrary data, which would ideally be required. There-
fore, one of the restrictions on choosing the coefcients is that not all of them are simultaneously zero.
For example, if the data needs to be divided into two parts then an equation of second degree is chosen and the roots
computed. If we represent this general equation by
x
2
a
1
x d 0 mod p 6
then the two roots can be calculated by solving the following equation modulo p:
x
a
1

a
2
1
4d

2
7
which has an solution in Z
p
only if the square root

a
2
1
4d

exists modulo p. If the square root does not exist then a different
value of a
1
needs to be chosen. We present a practical way of choosing the coefcients below. However, this brings out the
second restriction on the coefcients, i.e. they should be so chosen such that a solution to the equation exists in Z
p
.
Theorem 1. If the coefcients a
i
; 1 6 i 6 k 1 in Eq. (3) are randomly and uniformly chosen and are not all simultaneously zero,
then the knowledge of any k 1 roots of the equation, such that Eq. (4) holds, does not provide any information about the value of
d with a probability greater than that of a random guess of 1=p.
Proof. Given a specic d, the coefcients in (3) can be chosen to satisfy (4) in Z
p
in the following manner. Choose at random
from the eld k 1 random roots r
1
; r
2
; . . . ; r
k1
. Then kth root r
k
can be computed by solving the following equation,
r
k
d r
1
r
2
r
k1

1
mod p 8
Since the roots are uniformly and randomly distributed in Z
p
, the probability of guessing r
k
without knowing the value of d is
1=p. Conversely, d cannot be estimated with a probability greater than 1=p without knowing the kth root r
k
.
It follows from Theorem 1 that data is represented as a multiple of k numbers in the nite eld. h
Fig. 2. The details of the partitioning process.
A. Parakh, S. Kak / Information Sciences 179 (2009) 33233331 3325
Example 1. Let data d 10, prime p 31, and let k 3. We need to partition the data into three parts for which we will
need to use a cubic equation, x
3
a
2
x
2
a
1
x d 0 mod p.
We can nd the equation satisfying the required properties using Theorem 1. Assume, x r
1
x r
2
x r
3
0 mod 31.
We randomly choose two roots from the eld, r
1
19 and r
2
22. Therefore, r
3
d r
1
r
2

1
10 19 22
1
mod 31 11. The equation becomes x r
1
x r
2
x r
3
x
3
21x
2
x 10 0 mod 31, where the coefcients are
a
1
1 and a
2
21 and the partitions are 11, 22 and 19.
2.2. Choosing the coefcients
In the previous section, we described two conditions that must be satised by the coefcients. The rst condition was that
not all the coefcients are simultaneously zero and second that the choice of coefcients should result in an equation with
roots in Z
p
. Since no generalized method for solving equations of degree higher than 4 exists [5], a numerical method must be
used which becomes impractical as the number of partitions grow. An easier method to compute the coefcients is exem-
plied by Theorem 1 and Example 1.
One might ask why should we want to compute the coefcients if we already have all the roots? We answer this question
in Section 3.
2.3. Introducing redundancy
In situations when the data pieces stored on one or more (less than a threshold number of) servers over the Internet may
not be accessible, the user should be able to recreate the data from the available pieces. The procedure outlined below extend
the k partitions to n, n Pk partitions such that only k of them need to be brought together to recreate the data. If
fr
1
; r
2
; . . . ; r
k
g is the original set of partitions then they can be mapped into a set of n partitions fp
1
; p
2
; . . . ; p
n
g by the use
of a mapping function based on linear algebra. If we construct n linearly independent equations such that
a
11
r
1
a
12
r
2
a
1k
r
k
c
1
a
21
r
1
a
22
r
2
a
2k
r
k
c
2
.
.
.
a
n1
r
1
a
n2
r
2
a
nk
r
k
c
n
where numbers a
ij
are randomly chosen from the nite eld Z
p
, then the n new partitions are
p
i
fa
i1
; a
i2
; . . . ; a
ik
; c
i
g; 1 6 i 6 n. The above linear equation can be written as matrix operation,
a
11
a
12
. . . a
1k
a
21
a
22
. . . a
2k
.
.
.
a
n1
a
n2
. . . a
nk

r
1
r
2
.
.
.
r
k

c
1
c
2
.
.
.
c
n

To recreate r
j
; 1 6 j 6 k from the new partitions, any k of them can be brought together,
r
1
r
2
.
.
.
r
k

a
m1
a
m2
. . . a
mk
a
n1
a
n2
. . . a
nk
.
.
.
a
i1
a
i2
. . . a
ik

1
kk
c
1
c
2
.
.
.
c
k

k1
A feature of the presented scheme is that new partitions may be added and deleted without affecting any of the existing
partitions.
2.4. Complexity of the proposed protocols
Following subsections discuss the complexity issues of the proposed data partitioning scheme.
2.4.1. The complexity of the k; k data partitioning scheme
The complexity of the k; k partitioning scheme is Ok. This is illustrated by the following algorithm.
Algorithm 1a. (k,k) Data Partitioning Scheme
Input data d
1. Choose randomly and uniformly from a nite eld Z
p
; k 1 numbers r
1
; r
2
; . . . ; r
k1
.
2. Compute r
k
d r
1
r
2
r
k1

1
mod p.
3326 A. Parakh, S. Kak / Information Sciences 179 (2009) 33233331
3. Construct the kth degree polynomial: pk x r
1
x r
2
x r
k
mod p x
k
a
k1
x
k1
a
k2
x
k2
a
1
x a
0
mod p.
4. The roots r
1
; r
2
; . . . ; r
k
of the polynomial pk represent the data partitions.
Output ?vector
~
R r
1
; r
2
; . . . ; r
k

As seen fromthe above algorithm, partition creation requires k multiplications and one inversion operation modulo prime
p. Hence the time complexity of Ok.
Similarly, data reconstruction requires k multiplications which is illustrated by the following algorithm.
Algorithm 1b. (k,k) Data ReconstructionInput vector
~
R r
1
; r
2
; . . . ; r
k

1. Data d r
1
r
2
r
k
mod p.
Output ?d
Linear complexity of Algorithms 1a and 1b is highly desirable for resource constraint environments such as that of sensor
networks.
2.4.2. The complexity of the k; n data partitioning scheme
The proposed k; n data partitioning scheme uses the k; k partitioning scheme as a sub-algorithm. That is, we rst obtain
k partitions using Algorithm 1a and then introduce redundancy to cope with possible inaccessibility of some of the parti-
tions. The k; n partitioning scheme works as follows.
Algorithm 2a. (k,n) Data Partitioning Scheme
Input data d
1. Use Algorithm 1a to create k partitions of data d. Obtain vector
~
R r
1
; r
2
; . . . ; r
k
.
2. Generate n k matrix A such that all the rows of matrix are linearly independent.Note. A simple way to choose such a
matrix would be to choose a Vandermonde matrix of the following form
A
1 x
1
x
2
1
x
3
1
. . . x
k1
1
1 x
2
x
2
2
x
3
2
. . . x
k1
2
.
.
.
1 x
n
x
2
n
x
3
n
. . . x
k1
n

3. Create n partitions by computing A

nk

~
R
T

k1
C
n1
, where C c
1
; c
2
; . . . ; c
n

T
.
4. The partitions are denoted by the pair p
i
fx
i
; c
i
g, 1 6 i 6 n.
Output ! p
i
fx
i
; c
i
g; 1 6 i 6 n
Algorithm 2b. (k,n) Data Reconstruction
Input any k partitions p
i
fx
i
; c
i
g
1. Construct the k k matrix B by choosing the rows of matrix A corresponding to the given pairs p
i
and compute B
1
.
2. Reconstruct the k shares by evaluating
~
R
T

k1
B
1

kk
C
k1
.
3. Use Algorithm 1b to reconstruct data d, where the input is the algorithm is
~
R.
Output ?d
The complexity of Algorithms 2a and 2b is Onlog
2
n [4,16].
A more efcient method, that eliminates multiplications during partition creation, would be to use a n k matrix with
elements from GF(2). Such matrices are used in error-correction coding [19]. This will reduce all multiplication operations
to additions operations for partition creation (assuming the cost of multiplications with 0 and 1 can be ignored). And inver-
sion of such a matrix during data reconstruction would require at most On
3
operations and On
2
multiplications. An exam-
ple of such a matrix in GF(2) is given below, where we have assumed n 4 and k 3.
A
1 0 1
0 1 0
0 1 1
1 1 0

A. Parakh, S. Kak / Information Sciences 179 (2009) 33233331 3327

Any k 3 columns the above matrix A are linearly independent. Since the above matrix only requires multiplications
with 0 and 1, the time complexity of the scheme becomes linear for partition creation. This is one of the advantages of
our scheme over traditional schemes, such as that of Shamirs, where a matrix GF(2) cannot be used to simplify
computations.
2.4.3. A note on applications
As seen above, Algorithms 1a and 1b require Ok computations while Algorithms 2a and 2b require Onlog
2
n computa-
tions. Both these implementations are efcient and suitable for resource constraint environments such as wireless sensor
networks. Further, while sensors generate crucial data and transmit it securely to the base station, the reconstruction of data
happens for most cases only at the base station. Since base stations have much higher computational capacity than the sen-
sors themselves, a matrix in GF(2) may be used to reduce the computational burden on the sensors.
3. An alternate approach to partitioning
Once the user has computed all the k roots then he may compute the equation resulting from (4) and store one or all of
the roots on different servers and the coefcients on different servers. Recreation of original data can now be performed in
two ways: either using (5) or choosing one of the roots at random and retrieving the coefcients and substituting the appro-
priate values in the equation (3) to compute
d
0
x
k
a
k1
x
k1
a
k2
x
k2
a
1
x mod p 9
Therefore, the recreated data d p d
0
mod p. Parenthetically, this may provide a scheme for fault tolerance. Additionally,
a user may store just one of the roots and k 1 coefcients on the network. These together represent k partitions.
Note. Distinct sets of coefcients (for a given constant termin the equation) result in distinct sets roots and vice versa. This
is because two distinct sets of coefcients represent distinct polynomials because two polynomials are said to be equal if and
only if they have the same coefcients. By the fundamental theorem of algebra, every polynomial has unique set of roots.
Two sets of roots R
1
and R
2
are distinct if and only if 9r
i
8r
j
r
i
r
j
, where r
i
2 R
1
and r
j
2 R
2
. To compute the correspond-
ing polynomials and the two sets coefcients C
1
and C
2
, we perform

k
i1;r
i
2R
1
x r
i
0 mod p and

k
j1;r
j
2R
2
x r
j
0 mod p and read the coefcients of from the resulting polynomials, respectively. It is clear the at least
one of the factors of the two polynomials is distinct because at least one of the roots is distinct; hence the resulting polyno-
mials for a distinct set of roots are distinct.
Theorem 2. Determining the coefcients of a polynomial of degree k P2 in a nite eld Z
p
, where p is prime, by brute force,
requires Xd
p
k1
k1!
e computations.
Proof. If A represents the set of coefcients A fa
1
; a
2
; . . . ; a
k1
g, where 0 6 a
i
6 p 1, then by the above note each distinct
instance of set A gives rise to a distinct set of roots R fr
1
; r
2
; . . . ; r
k
g, and conversely every distinct instance of set R gives rise
to a distinct set of coefcients A. Therefore, if we x d to a constant then (5) can be used to compute a set of roots. Every
distinct set of roots is therefore a k 1 combination of a multiset, where each element has innite multiplicity, and equiv-
alently a k 1 combination of set S f0; 1; 2; . . . ; p 1g with repetition allowed. Thus, the number of possibilities for the
choices of coefcients is given by the following expression:
p
k 1


p 1 k 1
k 1

p k 2!
p 1!k 1!

p k 2p k 3 p k kp 1!
p 1!k 1!
10

p k 2p k 3 p
k 1!
Pd
p
k1
k 1!
e
Here we have used the fact that in practice p ) k P2, hence the result. We have ignored the one prohibited case of all coef-
cients being zero, which has no effect on our result.
4. A stronger variation to the protocol modulo a composite number
An additional layer of security may be added to the implementation by performing computations modulo a composite
number n p q; p and q are primes, and using an encryption exponent to encrypt the data before computing the roots of
the equation. In such a variation, knowledge of all the roots and coefcients of the equation will not reveal any information
about the data and the adversary will require to know the secret factors of n. For this we can use an equation such as the
follows:
3328 A. Parakh, S. Kak / Information Sciences 179 (2009) 33233331
x
k

k1
i1
a
ki
x
ki
d
y
0 mod n 11
where y is a secretly chosen exponent and GCDy; un 1. If the coefcients are chosen such that (11) has k roots then

k
i1
r
i
d
y
mod n 12
Appropriate coefcients may be chosen in a manner similar to that described in previous sections. It is clear that compromise
of all the roots and coefcients will at the most reveal c d
y
mod n. In order to compute the original value of d, the adver-
sary will require the factors of n which are held secret by the user.
5. Addressing the data partitions
The previous sections consider the security of the proposed scheme when prime p and composite n are public knowledge.
However, there is nothing that compels the user to disclose the values of p and n. If we assume that p and n are secret values
then the partitions may be stored in the form of an encrypted link list. We dene an encrypted link list as a link list in
which every pointer is in encrypted form and in order to nd out which node the present node points to, the user needs
to decrypt the pointer which can be done only if certain secret information is known.
If we assume that p and n are public values then the pointer can be so encrypted that each decryption either leads to
multiple addresses or depends on the knowledge of the factors or both. Only the authentic user will know which of the mul-
tiple addresses is to be picked.
Alternatively, one may use a random number generator and generate a random sequence of server IDs using a secret seed.
One way to generate this seed may be to nd the hash of the original data and use it to seed the generated sequence and keep
the hash secret.
6. Security by key distribution
In some cases, when there is a large amount of data, a user may nd it inefcient to create data partitions and distribute
them over the network but may wish to encrypt the data and store it on a single server which he trusts and keep encryption
key secret. Almost always, encryption keys are very large random numbers and cannot be memorized. Therefore, the user
may create partitions of the key and spread them over the network. This approach may be more efcient, if not more secure,
than creating data partitions of enormous amounts of data. Furthermore, the access to the servers on which the key parti-
tions are stored may be password restricted.
We stress that this scenario is different from the secret sharing scenario where multiple parties are involved since our
case involves data security for a single party.
Keys may be partitioned using the scheme presented in the previous sections where the data is replaced by the key. Alter-
natively one may use the key partitioning scheme presented in the following sub-section that uses polynomials in Galois
Field GF(2
m
), for which, given the distributed nature of the scheme, the security will be better than polynomial generaliza-
tion of power encryption transformations [13,9].
6.1. Key partitioning in galois eld 2
m
A Galois Field (2
m
) consists of polynomials of degree m 1 or less, such that their coefcients lie in GF(2). For example,
a
m1
x
m1
a
m2
x
m2
a
1
x a
0
, where a
i
1 or 0 represents a polynomial belonging to GF2
m
and it may be written in
Fig. 3. Illustration of key partitioning.
A. Parakh, S. Kak / Information Sciences 179 (2009) 33233331 3329
binary representation as (a
m1
a
m2
. . . a
1
a
0
). Multiplication in GF2
m
is performed modulo an irreducible polynomial
gx x
m
b
m1
x
m1
b
1
x b
0
, where b
i
2 GF2. A polynomial gx is said to be irreducible if it cannot be factored into
two or more polynomials each with coefcients in GF(2) and each of degree less than m.
Therefore, a user can generate a random key and partition it into k partitions using the following procedure. He generates
k random polynomials of any random degree in GF(2
m
) and computes their product modulo the irreducible polynomial gx.
The resultant polynomial of degree m 1 with binary coefcients is taken as the required key in its binary representation
and the randomly generated polynomials are the partitions (Fig. 3).
Example 2. In order to generate a random 8 bit key and create ve partitions of it, the user may proceed as follows. Let
gx x
8
x
2
1 be an irreducible polynomial in GF(2
m
). He chooses ve polynomials of degree m 1 or less (at random),
such as p
1
x x
7
x
6
x, p
2
x x
4
x
2
x 1; p
3
x x
5
x
3
; p
4
x x
7
x
6
x
5
x and p
5
x x
6
x
2
x 1 and
computes there product, p
1
xp
2
xp
3
xp
4
xp
5
x kx mod gx, where kx is the key polynomial and the coefcients
are the binary representation of the key.
kx p
1
xp
2
xp
3
xp
4
xp
5
x x
6
x
4
x
3
x 1 mod gx
Therefore, the random key generated is k 01011011 and the partitions are, p
1
11000010; p
2
00010111;
p
3
00101000; p
4
11100010; p
5
01000111.
Note that the knowledge of k 1 partitions, in the scheme presented above, leaves the kth partition completely undeter-
mined and the adversary still requires H2
m1
trials to determine the encryption key. This is because all the partitions
2 GF2
m
) and that each one of them is independently and randomly chosen from the eld. Hence, knowledge of k 1 par-
titions does not reveal any information about the choice made for the kth partition. Further, since the kth partition can be any
random polynomial from the eld, in order to compute this polynomial by brute force would require on an average half the
number of trial of 2
m
, i.e. H2
m1
. Since the right hand side of the equation (the key) is completely dependent on the choice
of left hand side of the equation (the factors of the key), one would require H2
m1
trial to compute the key with the knowl-
edge of k 1 partitions [24].
In practice, keys are of 128512 bits in AES, i.e. H2
127
to H2
511
possible trials on an average.
The above scheme can be extended to a k; n partitioning scheme by converting the existing partitions into decimal inte-
gers and using the extension presented in Section 2.3.
7. Partition redundancy v/s no redundancy
In cases where the accessibility to the partitions is guaranteed and the data disks are sufciently backed-up, partition
redundancy may lead to un-necessary wastage of storage space. This is certainly true for in-system storage where data par-
titions may be distributed over numerous sectors randomly and not contiguously stored. Also in case of network storage lar-
ger number of partitions would require larger upload time which may be avoidable.
8. Application in Internet voting protocols
Internet voting is a challenge for cryptography because of its opposite requirements of condentiality and veriabil-
ity. There is the further restriction of fairness that the intermediate election results must be kept secret. One of the
ways to solve this problem is to use multiple layers of encryption such that the decryption key for each layer is avail-
able with a different authority. This obviously leaves open the question as to who is to be entrusted the encrypted
votes.
A more effective way to implement fairness would be to avoid encryption keys altogether and divide each cast ballot into
k or more pieces such that each authority is given one of the pieces [20]. This solves the problem of entrusting any one
authority with all the votes and if any of the authorities (less than the threshold) try to cheat by deleting some of the cast
ballots, then the votes may be recreated using the remaining partitions. Such a system implicitly provides a back-up for the
votes.
9. Conclusions and future work
We have described an implicit security architecture suited for the application of online storage. In this scheme data is
partitioned in such a way that each partition is implicitly secure and does not need to be encrypted. These partitions are
stored on different servers on the network which are known only to the user. Reconstruction of the data requires access
to each server and the knowledge as to which servers the data partitions are stored. Several variations of this scheme are
described, which include the implicit storage of encryption keys rather than the data, and where a subset of the partitions
may be brought together to recreate the data.
One can propose variations to the scheme presented in this paper where the data partitions need to be brought together
in a denite sequence. One way to accomplish it is by representing partition in the following manner:
3330 A. Parakh, S. Kak / Information Sciences 179 (2009) 33233331
p
1
; p
1
p
2
; p
2
p
3
; . . ., where p
i
p
j
represents the encryption of p
j
by means of p
i
. Such a scheme will increase the complex-
ity of the brute force decryption task for an adversary.
The proposed scheme is also of potential use in sensor networks. To protect sensitive information on sensors that are
physically compromised, one may partition the data and store these parts on other sensors in the network. The key that
is used to nd the location of these parts is encrypted and this encryption is changed from time to time. This provides solu-
tions that are more general than other distributed security models used in sensor networks [27]. Our approach leads to inter-
esting research issues such as the optimal way to distribute the parts in a network of n sensors, so that the network can work
even if some of the sensors happen to malfunction by themselves or as a consequence of intervention by an adversary. It also
leads to the question of reliability and tolerance to faults in such a system.
Acknowledgement
This work was partly funded by Central Rural Electric Corporation, Stillwater, Oklahoma.
References
[1] Reuters second life. <http://secondlife.reuters.com/stories/2008/05/07/eve-online-experiments-with-virtual-democracy/>.
[2] Second life herald. <http://www.secondlifeherald.com>.
[3] Expanding the Use of Electronic Voting Technology for UOCAVA Citizens, Department of Defence, May 2007.
[4] A. Aho, J. Hopcroft, J. Ullman, The Design and Analysis of Computer Algorithms, Addison-Wesley, 1974.
[5] A. Bharucha-Reid, M. Sambandham, Random Polynomials, Academic Press, New York, 1986.
[6] T. Claveirole, M. de Amorim, M. Abdalla, Y. Viniotis, Securing wireless sensor networks against aggregator compromises, Communications Magazine
IEEE 46 (4) (2008) 134141.
[7] M.H. Dehkordi, S. Mashhadi, New efcient and practical veriable multi-secret sharing schemes, Information Sciences 178 (9) (2008) 22622274.
[8] D. Denning, Cryptography and Data Security, Addison-Wesley Publishing Company, 1982.
[9] L. Dickson, Linear Groups with an Exposition of the Galois Field Theory, Dover Publications, 1958.
[10] A. Eldin, A. Ghalwash, H. ElShandidy, Enhancing packet forwarding in mobile ad hoc networks by exploiting the information dispersal algorithm,
Communications, Computers and Applications, 2008. MIC-CCA 2008. Mosharaka International Conference, August 2008, pp. 2025.
[11] E. Gheringer, Choosing passwords: security and human factors, Proceedings of IEEE 90 (2002) 369373.
[12] B. Greenstein, D. Estrin, R. Govindan, S. Ratnasamy, S. Shenker, Difs: a distributed index for features in sensor networks, Ad Hoc Networks 1 (2003)
333349.
[13] S. Kak, Exponentiation modulo a polynomial for data security, International Journal of Computer and Information Science 13 (1983) 337346.
[14] S. Kak, On the method of puzzles for key distribution, International Journal of Computer and Information Science 14 (1984) 103109.
[15] S. Kak, A cubic public-key transformation, Circuits, Systems and Signal Processing 26 (2007) 353359.
[16] D. Knuth, The Art of Computer Programming, vol. 2, Addison-Wesley, 1969.
[17] C. Kuang-Hui, C. Wen-Tsuen, A new group key generating model for group sharing, Information Sciences 64 (1-2) (1992) 8394.
[18] C.-Y. Lee, Y.-S. Yeh, D.-J. Chen, K.-L. Ku, A probability model for reconstructing secret sharing under the internet environment, Information Sciences 116
(2-4) (1999) 109127.
[19] T. Moon, Error Correction Coding: Mathematical Methods and Algorithms, Wiley-Interscience, 2005.
[20] A. Parakh, S. Kak, Internet voting protocol based on implicit data security, in: Proceedings of 17th International Conference on Computer
Communications and Networks 2008, ICCN 08, pp. 1-4.
[21] R. Proctor, M. Lien, K. Vu, G. Salvendy, Improving computer security for authentication of users: inuence of proactive password restrictions, Behavior
Research Methods, Instruments and Computers 34 (2002) 163169.
[22] A. Renvall, C. Ding, A nonlinear secret sharing scheme, Information Security and Privacy, LNCS 1172 (1996) 5666.
[23] S. Riley, Password security: what users know and what they actually do, Usability News 8.1 (2006).
[24] K. Rosen, Discrete Mathematics and its Applications, McGraw-Hill, 2007.
[25] A. Shamir, How to share a secret, Communication of ACM 22 (11) (1979) 612613.
[26] R. Sinnott, First report-december 2004 (irish commission on electronic voting) appendix 2c, 2004, pp. 153191.
[27] N. Subramanian, C. Yang, W. Zhang, Securing distributed data storage and retrieval in sensor networks, Pervasive and Mobile Computing 3 (6) (2007)
659676. December.
[28] G. Wang, W. Zhang, G. Cao, T.L. Porta, On supporting distributed collaboration in sensor networks, in: IEEE Military Communications Conference,
October 2003.
[29] F. Ye, H. Luo, J. Cheng, S. Lu, L. Zhang, A two-tier data dissemination model for large-scale wireless sensor networks, in: ACM International Conference
on Mobile Computing and Networking, 2002, pp. 148159.
[30] T. Yuan, S. Zhang, Secure fault tolerance in wireless sensor networks, in: CITWORKSHOPS08: Proceedings of the 2008 IEEE Eighth International
Conference on Computer and Information Technology Workshops, 2008, pp. 477482.
[31] W. Zhang, G. Cao, T.L. Porta, Data dissemination with ring-based index for sensor networks, in: IEEE International Conference on Network Protocol,
November 2003.
A. Parakh, S. Kak / Information Sciences 179 (2009) 33233331 3331