Received May 14, 2020, accepted June 1, 2020, date of publication June 9, 2020, date of current version June

22, 2020.
Digital Object Identifier 10.1109/ACCESS.2020.3001007

Secure Secret Sharing With Adaptive Bandwidth

in Distributed Cloud Storage Systems
HAILIANG XIONG , (Member, IEEE), CHANGWU HU, (Student Member, IEEE),
YUJUN LI , (Member, IEEE), GUANGYUAN WANG, (Student Member, IEEE),
AND HONGCHAO ZHOU, (Member, IEEE)
School of Information Science and Engineering, Shandong University, Qingdao 266237, China
Corresponding author: Yujun Li (liyujun@sdu.edu.cn)
This work was supported in part by the Key Research and Development Program of Shandong Province under Grant 2017GGX201003,
in part by the National Key Research and Development Program of China under Grant 2018YFC0831006-02, in part by the Natural
Science Foundation of Shandong Province under Grant ZR2019MF038, and in part by the National Natural Science Foundation of China
under Grant 61401253.

ABSTRACT The development of cloud storage technology has brought us great convenience that we can
store data in remote servers and access it on any connected device. However, the frequent leakage of private
data has brought more and more attention to the protection of private data. To solve related problems,
the distributed storage schemes have been proposed. Considering security and fault tolerance, many of those
schemes adopt threshold secret sharing techniques which are wildly used in distributed storage systems
with disaster tolerance function. Nevertheless, in practical situations, the bandwidth between users and
different servers may be unbalanced or even unfixed, which leads to low communication efficiency of the
schemes when adopting original secret sharing. To obtain higher communication efficiency under different
communication loads, we proposed a novel adaptive bandwidth secret sharing scheme in distribution cloud
storage systems. In addition, we consider the scenario in which we use Shamir’s secret sharing scheme and
Staircase codes respectively in order to improve the applicability of the adaptive bandwidth scheme. We make
the comparative of performance analysis to show the advantages and disadvantages of these two schemes.
In general, compared with the non-adaptive schemes, the proposed adaptive bandwidth scheme can make
full use of unbalanced bandwidth and achieve higher average communication rate when the upper bound of
bandwidth is large enough.

INDEX TERMS Adaptive bandwidth, communication efficiency, distributed storage, secret sharing, privacy
and security.

I. INTRODUCTION and saving expensive hardware and software infrastructure

In recent years, with the rise of cloud computing and
software-as-a-service, cloud storage has become a research
hotspot in the field of information storage [1]–[3]. Com-
pared with traditional storage devices, cloud storage is more
than just a piece of hardware, but a system consisting of
multiple parts such as network devices, storage devices,
servers, application software, public access interfaces, access
networks, and client programs. Users who need storage
services no longer need to set up their own data centers,
just apply to the supply-side platform for storage services,
thus avoiding redundant construction of the storage platform
The associate editor coordinating the review of this manuscript and
approving it for publication was Yunlong Cai . loaded. Unfortunately, this method requires a large number of
investment.
However, considering security and usability, many com-
panies and individuals are reluctant to entrust their sensitive
data to third-party service providers. Although the providers
can guarantee data durability, they still cannot fully guarantee
data confidentiality when faced with malicious employees.
Recent reports indicate that most of cloud services are still
short of key capabilities to ensure compliance. They lack
transparency in government oversight and security mecha-
nisms to protect data [4].
In general, if data is stored in one cloud server, the only
way to ensure confidentiality is to encrypt the data on the
client, upload it to the cloud, and decrypt it as it is down-

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
108148 VOLUME 8, 2020
H. Xiong et al.: Secure Secret Sharing With Adaptive Bandwidth in Distributed Cloud Storage Systems
keys to be generated and maintained, and the computational
overhead is very high [5]–[7]. In addition, this sort of key
encryption method is only computationally safe. It can pre-
vent the current mainstream computing power enemies from
cracking, but it can not prevent future enemies with faster
computing power and even quantum computer computing
power. Another more serious shortcoming of a single server
cloud storage solution is that in the event of a disaster or other
disruption [4], the cloud storage service will be completely
ineffective and the data may not be recoverable.
In order to solve above problems of a single server cloud
storage solution, a new cloud storage solution called dis-
tributed cloud [10] has been proposed and becomes more
and more popular. Distributed cloud stores data redundantly
across multiple independent servers, which allows users to
recover data by accessing a normal server when a limited
number of servers are unavailable. In addition, the research
on distributed computing [11], [12] also makes the appli-
cation of distributed cloud more and more extensive. The
main data protection technology of this new type of cloud
storage scheme is generally secret sharing, which is a special
encoding method that combines the user’s original data with
redundant random data to ensure that the original data can
only be obtained by a certain amount of encoded fragment.
Secret sharing scheme was proposed independently by
Shamir [8] and Blakley [9] in 1979 based on Lagrange
interpolation method and the properties of multi-dimensional
space points. This problem describes that a secret data is
shared by n participants, at least k participants can jointly
reconstruct the secret, and less than k participants cannot get
any information about the secret. Secret sharing is a kind of
cryptographic technology of dividing and storing secrets as
well as an important means of information security and data
privacy. What secret sharing does is to prevent excessive con-
centration of secrets, so as to achieve the purpose of spreading
risks and tolerating intrusion. The biggest advantage of secret
sharing is that it is information-theoretic-security that even
an attacker with unlimited computing power can’t get any
information about the stored data. However, compared to
the traditional encryption method, secret sharing does not
require any encryption keys, but it will bring several times
the storage overhead of the original data and additional cod-
ing and decoding complexity, and needs to generate a large
amount of random data (these data will only be used once
after they are generated, and will not need to be stored and
reused like keys). Therefore, they are currently only used
to remotely store small amounts of data, such as encryption
keys [10], [13]. Since this problem was put forward, secret
sharing and erasure code in distributed storage have been
developing continuously [14]–[27]. Now it has become a
fundamental cryptographic method and is used as a building
block in numerous secure protocols, especially in threshold
cryptography and secure multi-party computation.
After Shamir used the idea of polynomial interpola-
tion to construct an elegant and efficient perfect threshold
scheme, Shamir’s scheme is proved to be closely related
VOLUME 8, 2020
to Reed-Solomon codes [27] and is generalized to MDS
(Maximum Distance Separable) array codes [15], [23] later.
In [15], an explicit structure of the first known system (n, k)
MDS array code is described where n − k is equal to some
constants so that the amount of information needed to recon-
struct an erased column is equal to 1/(n − k), matching the
lower bound of information theory. Recently, there has been
considerable interest in incorporating secrets into erasure
codes for distributed storage, such as [33]–[36]. These codes
can also be considered as threshold secret sharing schemes.
Huang et al. [28] proposed communication efficient secret
sharing based on MDS code in 2015, and proved that the
communication cost of this scheme reached the lower bound.
The key idea of this scheme for achieving optimal com-
munication bandwidth is to let the user receive information
from more than the necessary number of parties. Then Bitar
and Rouayheb [29] completely constructed a secret shar-
ing scheme named Staircase codes on this basis. Besides,
they described how Staircase codes can be used to construct
threshold changeable secret sharing codes and applied it into
secure multi-party computation [30]. Although considerable
theoretical effort has focused on reducing the computation
complexity of Shamir’s secret-sharing scheme while still
making it information-theoretically secure [27], [31], [37],
[38], most of these solutions are based on balanced bandwidth
conditions, and there is little research on unbalanced band-
width load. Fortunately, recent technological advances have
brought new ideas. A new secret sharing algorithm, secure
RAID (Redundant Arrays of Independent Drives), was pro-
posed. This algorithm can effectively decode partial data, and
its computational overhead can be compared with standard
erasure coding [31]. More importantly, the addition of RAID
technology allows distributed storage to match unbalanced
bandwidth during communication [32].
In this paper, we assume that we need to store some impor-
tant data on untrusted third-party servers. We can’t simply
encrypt the data and store it on one server, because the data
stored on a single server is easily cracked and will proba-
bly not be recoverable if something goes wrong. Therefore,
we use the distributed storage scheme based on threshold
secret sharing to store data in multiple servers that are not easy
to collude. Compared with the common multi-copy schemes,
secret sharing can significantly save storage costs and provide
higher ability of fault tolerance. However, when restoring the
secret, the bandwidth that users access to each server may
be different. If we do not consider the difference of band-
width, it may waste a lot of bandwidth and even lead to low
communication efficiency. In order to improve this situation,
we propose an adaptive bandwidth secret sharing scheme
based on Shamir’s scheme and Staircase codes respectively.
We evaluate and analyze the bandwidth utilization and com-
munication efficiency of the adaptive bandwidth scheme and
compare it with the non-adaptive one. The main conclusions
can be summarized as follows. (1) No matter which of the
two secret sharing schemes is applied, the proposed scheme
can achieve the bandwidth self-adaption between the user
108149
 H. Xiong et al.: Secure Secret Sharing With Adaptive Bandwidth in Distributed Cloud Storage Systems
and the servers in distributed storage system and greatly
increase the communication rate when the upper bound of
bandwidth is large enough. (2) The scheme constructed from
Staircase codes can recover the secret more efficiently with
lower bandwidth but higher computational overhead. (3) The
proposed adaptive scheme has strong scalability, so that we
can build it with other secret sharing algorithms to obtain
additional features.
The remainder of the paper is organized as follows.
Section II introduces Shamir’s scheme and Staircase codes
which will be used as component of the adaptive scheme.
Section III illustrates the basic idea of adaptive bandwidth
scheme and the generation of bandwidth matrix, which is
the kernel of self-adaption. We describe the construction
process of adaptive bandwidth scheme and compare the
non-adaptive scheme with the adaptive one through an exam-
ple in Section IV. Numerical analysis results are presented
in Section V. Finally, we provide the concluding remarks in
Section VI.
II. SHAMIR’s SCHEME AND STAIRCASE CODES
A. SHAMIR’s SCHEME
Shamir’s Secret Sharing is an algorithm in cryptography
based on Lagrange interpolation method. The essential idea
of Shamir’s threshold scheme is that 2 points are sufficient
to define a line, 3 points are sufficient to define a parabola,
4 points are sufficient to define a cubic curve and so forth.
That is, it takes k points to define a polynomial of degree
k − 1. Suppose we want to use a (n, k) threshold scheme to
share our secret S, without loss of generality assumed to be
an element in a finite field F of size P where 0 < k ≤ n < P;
S < P and P is a prime number. Choose k −1 positive integers
a1 , · · · , ak−1 at random with ai < P, and let a0 = S. Build
the polynomial
f (x) = a0 + a1 x + a2 x 2 + a3 x 3 + · · · + ak−1 x k−1 .
Let us construct any n points out of it, for example set
i = 1, . . . , n to retrieve (i, f (i)). Every participant is given
a point (a non-zero integer input to the polynomial, and the
corresponding integer output) along with the prime which
defines the finite field to use. Given any subset of k of these
pairs, we can use interpolation to find the coefficients of the
polynomial. The secret is the constant term a0 . However,
when given more than k pairs, we can still use the data of k
pairs. Namely, the extra pairs are wasted.
B. STAIRCASE CODES
Staircase code is a kind of communication efficient secret
sharing scheme constructed by Bitar and Rouayheb [29],
which referred to Huang’s paper [28]. The goal of this scheme
is to minimize the communication overhead for the user
interested in decoding the secret. Compared with Shamir’s
scheme, this scheme describes a method that the user can
download less data from the servers when more than k servers
are available with higher computational overhead.
108150
An (n, k, z) Staircase code allows the user to encode the
data S into n shares and distribute them to n servers, such that
shares from any set of k servers can obtain S and shares from
any set of z, z ≤ k ≤ n, servers obtain no information about S.
The user will reconstruct S with the data in any d, k ≤ d ≤ n
servers, i.e., d denotes the number of servers that are actually
used. In this paper, we regard z = k − 1, which is the most
common case in practice. The following are the construction
processes of Staircase code:
Preparation: An (n, k, k −1) Staircase code requires divid-
ing the data into matrix S of dimension h × b/h, where
h = n − k + 1, b = LCM 1 {2, · · · , h}. Let d1 = n, d2 =
n − 1, · · · , dh = k denote the number of servers contacted by
the user. Let bi , di −k +1 for i = 1, . . . , h. The construction
uses random matrix R of dimension (k − 1) × 2b/bn−k whose
elements are drawn independently and uniformly at random
from GF(q) to ensure secrecy. Then the random matrix R
is partitioned into h matrices Ri , i = 1, . . . , h, each of
dimension (k − 1) × b/bi bi−1 with b0 = 1. The matrix M
is the concatenation of h matrices Mi , i = 1, . . . , h, shown
in Fig. 1. The elements appearing in each matrix Di are the
elements of the (n − i + 1)th row of [M1 , . . . , Mi ] rearranged
to the dimension of bi × b/bi bi+1 for i = 1, . . . , h − 1. The
0’s are the all zero matrices used to complete the Mi ’s to n
rows.
(1)
FIGURE 1. The construction of matrix M with dimension n × b. Note that
the dimension of S is h × b/h, the dimension of Ri is (k − 1) × b/bi bi −1 ,
i = 1, . . . , h and the dimension of Di is bi × b/bi bi +1 . In addition,
the role of the zero matrix in M is to fill M into n rows.
Encoding: Let V be an n × n Vandermonde matrix defined
over GF(q). The encoding of Staircase codes consists of
multiplying V by M to obtain the matrix C = VM . The n
rows of C form the n different shares.
Decoding: The user contacts any di servers, i = 1, 2, . . . , h
and downloads the first b/bi symbols from each servers corre-
sponding to V [M1 , M2 , . . . , Mh ]. The user is guaranteed [29]
to decode the secret.
The following Example illustrates the specific process of
encoding and decoding for Staircase codes.
1 Least Common Multiple.
VOLUME 8, 2020
H. Xiong et al.: Secure Secret Sharing With Adaptive Bandwidth in Distributed Cloud Storage Systems
Example 1: Consider the secret sharing problem with
n = 3, k = 2. We assume now that the secret S is formed of 2
symbols S1 , S2 uniformly distributed over GF(5) and we use
two keys R1 , R2 drawn independently and uniformly at ran-
dom from GF(5). To construct the Staircase codes, the secret
symbols and keys are arranged in a matrix M as shown in (2).
The matrix M is multiplied by a 4 × 3 Vandermonde matrix
V to obtain the matrix C = VM . The 3 rows of C form the 3
different shares and give the Staircase codes shown in Table 1.
  
1 1 1 S1 R1
C = VM = 1 2 4  S2 R2  (2)
1 3 4 R1 0
TABLE 1. The shares stored by three servers using Staircase codes for
n = 3, k = 2. In this example, each share is divided into two sub-shares
giving the user more decoding options. The user can decode S1 and S2 by
receiving either the first sub-share of each server (in blue) or two
sub-shares from any two servers (in blue and black). In the first case,
the communication overhead and read overhead are both 1 symbol.
In the second case, the communication overhead and read overhead are
both 2 symbols. The operations shown above are in GF (5).
III. ADAPTIVE BANDWIDTH SCHEME
We need to store a secret data in n untrusted servers among
which only less than k servers can collude (or the oppo-
nent can only break through less than k servers at the same
time), hence we need to adopt secret sharing. Assuming that
the communication bandwidth between the user and these n
servers may be unbalanced or even changeable, we need to
consider how to construct a secret sharing scheme to adapt to
the change of bandwidth as much as possible.
A. BASIC IDEA
Our basic idea is to store multiple data and recover it by using
secret sharing scheme in different ways, which is inspired
by the study in RDP (Row Diagonal Parity) code storage
systems [32]. In simple terms, each symbol of secret S is
stored on multiple servers using secret sharing scheme, and
each symbol of secret is recovered in same order. However,
the sub-secrets selected for recovering each symbol is not
necessarily the same, but should be adjusted according to
the bandwidth condition to achieve the purpose of bandwidth
self-adaption.
Table 2 shows that when recovering a secret consists
of 3 symbols, if the bandwidths of the user to the four
servers are 3, 3, 0, 0 symbol/s respectively, we can recover
the secret in the first scenario to achieve bandwidth self-
adaption, if the bandwidths of the user to the four servers
VOLUME 8, 2020
TABLE 2. Three Shamir’s secret sharing projects for n = 4, k = 2. Each
project stores a secret of one symbol in 4 servers. When we want to
recover one secret, we need to download one symbol of data from any 2
of the 4 servers respectively. If we want to recover three secrets, in the
first scenario, 6 symbols are downloaded from server A and B, while no
data is downloaded from server C and D, that is, we download the data
underlined in the table. In the second scenario, 3 symbols are
downloaded from server A, while the remaining 3 symbols are
downloaded respectively from server B, C, and D, that is, we download
the data indicated in blue font in the table.
are 3, 1, 1, 1 symbol/s respectively, we use the second way.
That is to say, different bandwidth loads can be achieved by
changing different combinations of sub-secrets. Conversely,
when we know the actual bandwidth, we can adapt band-
width by allocating the combination of sub-secrets. From this
instance, we can see that in the case of dividing a secret
into multiple chunks, if we make a reasonable analysis of
the bandwidth, we can endow the secret sharing scheme
the capability of adapting bandwidth. Note that one chunk
in the Shamir’s scheme contains 1 symbol of data, while
one chunk in Staircase codes contains b = LCM {2, . . . , h}
symbols.
B. GENERATION OF BANDWIDTH MATRIX
After getting the bandwidth from all servers to the user,
we originally intended to calculate and save all possible
collocation schemes and results in a way similar to fingerprint
database, and then match the bandwidth situation with the
database in the adaptive bandwidth process and calculate the
recovery scheme for each sub-secret. However, we can notice
that above operation is not totally necessary. We just need to
analyze and decompose the bandwidth into several vectors
that each vector denotes the bandwidth used for recovering
one chunk and use the bandwidth matrix to represent the
vectors. Each column of the bandwidth matrix corresponds
to each server, and each row represents the amount of data
downloaded from each server to recover a secret chunk.
We will introduce the generation of bandwidth matrix as
follows:
1) BANDWIDTH MATRIX OF SHAMIR’s SCHEME
In order to obtain the combination of sub-secrets, we let
the matrix MB of m × n dimension constructed from 0’s
and 1’s denote the matrix of bandwidth, where each row
contains k 1’s, and the sum of each column equals to the
bandwidth from the corresponding server to the user. For
108151
 H. Xiong et al.: Secure Secret Sharing With Adaptive Bandwidth in Distributed Cloud Storage Systems
(n, k) secret sharing scheme, we assume the bandwidth from
the servers to the user is B0 = [X01 , X02 , . . . , X0n ], where
0 ≤ X0i ≤ x, x denotes the upper bound of bandwidth.
For (n, k) Shamir’s scheme, we will generate the band-
width matrix as follows:
[X01 , X02 , . . . , X0n ] − MB1 = B1
[X11 , X12 , . . . , X1n ] − MB2 = B2
···
[X(m−1)1 , X(m−1)2 , . . . , X(m−1)n ] − MBm = Bm . (3)
This process continues until the number of 0’s in Bm =
[Xm1 , Xm2 , . . . , Xmn ] is more than n−k, while MBj , 0 ≤ j ≤ m
is the jth row of MB , and its 1’s denote the position of the first
k large number of [X(j−1)1 , X(j−1)2 , . . . , X(j−1)n ].
The following example illustrates the generation processes
of bandwidth matrix MB for Shamir’s scheme.
Example 2: For a (4, 2) Shamir’s scheme, we assume that
the bandwidths from the servers to the user are 2, 3, 4, 1
symbol/s, i.e., B0 = [X01 , X02 , . . . , X0n ] = [2, 3, 4, 1]. Then
we can order it from large to small and obtain the position
of the first k large number of B0 , i.e., MB1 = [0, 1, 1, 0].
And we can obtain MB1 , MB2 , . . . , MBm in the same way
from Eq. (4).
[2, 3, 4, 1] − [0, 1, 1, 0] = [2, 2, 3, 1]
[2, 2, 3, 1] − [0, 1, 1, 0] = [2, 1, 2, 1]
[2, 1, 2, 1] − [1, 0, 1, 0] = [1, 1, 1, 1]
[1, 1, 1, 1] − [1, 1, 0, 0] = [0, 0, 1, 1]
[0, 0, 1, 1] − [0, 0, 1, 1] = [0, 0, 0, 0] (4)
Finally, we can combine MB1 , MB2 , . . . , MBm to get
 
0 1 1 0
0 1 1 0 
1 0 1 0  ,
 
MB =   (5)
1 1 0 0 
0 0 1 1
i.e., the matrix of bandwidth.
2) BANDWIDTH MATRIX OF STAIRCASE CODES
let MBm×n denote the matrix of bandwidth, where each row
consists of different vectors2 Vi = [b/bi , b/bi , · · · , b/bi , 0,
· · · , 0], i = 1, · · · , n − k + 1, in which b/bi denotes the
amount of symbols that need to be downloaded from each
server for recovering one symbol of secret and i denotes the
priority of Vi that the smaller i is, the higher the priority is.
And the number of b/bi is bi + k − 1, while the number of 0
is n − (bi + k − 1).
For (n, k) Staircase code, we will generate the bandwidth
matrix by Eq. (6) until there is no suitable vector to split
2 The order of b/b and 0 in V is arbitrary. For instance,
i i
[0, b/bi , 0, b/bi , · · · , ] is also feasible.
108152
for Bm . Note that the MBj ’s are replaced by Vi ’s here. Sim-
ilarly, we will show an Example of the generation of band-
width matrix for Staircase code.
[X01 , X02 , . . . , X0n ] − V1 = B1
[X11 , X12 , . . . , X1n ] − V2 = B2
···
[X(m−1)1 , X(m−1)2 , . . . , X(m−1)n ] − Vm = Bm . (6)
Example 3: For a (4, 2) Staircase code, assuming that
the bandwidths from the servers to the user are 11, 5, 11, 2
symbol/s, i.e., B0 = [11, 5, 11, 2], we can decompose B0 into
MB1 , MB2 , . . . , MBm from the following steps:
[11, 5, 11, 2] − [2, 2, 2, 2] = [9, 3, 9, 0]
[9, 3, 9, 0] − [3, 3, 3, 0] = [6, 0, 6, 0]
[6, 0, 6, 0] − [6, 0, 6, 0] = [0, 0, 0, 0]. (7)
Similarly, we can combine MB1 , MB2 , . . . , MBm into

2 2 2 2

MB =  3 3 3 0  . (8)
6 0 6 0
In this process, the order of decomposition depends on the
priority of Vi , and the higher priority Vi will be used to
decompose first.
It should be pointed out that since the generation process
of the bandwidth matrix only involves one cycle, its time
complexity is O(n). Compared with the time complexity
of the non-adaptive scheme to recover the secret process,
for example, that of non-adaptive Shamir’s scheme is (k 2 )
(Lagrangian interpolation), that of non-adaptive Staircase
codes is O(n3 ) (mainly calculated as multidimensional matrix
inversion), the time complexity of constructing bandwidth
matrix is trivial.
IV. CONSTRUCTION OF ADAPTIVE SCHEME
In this section, we present the proposed adaptive bandwidth
secret sharing scheme via Shamir’s scheme and Staircase
codes respectively. The construction of proposed adaptive
scheme includes three steps:
A. SECRET DISTRIBUTION
The secret is divided into multiple chunks (Each chunk S
consists of one symbol for Shamir’s scheme while each chunk
consists of h×b/h = b symbols for Staircase codes), and each
chunk is generated into n shares via secret sharing algorithm
and distributed to n servers. All secret chunks are stored in
these n servers through this way in sequence. We call the n
shares of a certain chunk in the server the same ‘‘row’’, so the
number of ‘‘rows’’ of server data represents the number of
stored secret chunks, which means that one can recover the
secret S of a chunk by acquiring any k shares in one certain
‘‘row’’ on the servers.
VOLUME 8, 2020
H. Xiong et al.: Secure Secret Sharing With Adaptive Bandwidth in Distributed Cloud Storage Systems

B. BANDWIDTH ANALYSIS and differentiate it to

 
Measure the communication bandwidth from each server to 0 1 1
the user when restoring the secret and then decompose the 0
 1 1

bandwidth into a bandwidth matrix by using the method 1
MB =  0 1
 (9)
shown in Eq. (3) or Eq. (6). 0 1 1
1 0 1
C. SECRET RECOVERY that the sums of the columns equal to 2, 3, 5 respectively and
Each row of the bandwidth matrix denotes the distribution the sum of each row is k = 2. Then we will take the data from
of the share required to recover the secret of a chunk in the the servers in the form of matrix (9) and transfer it to the user
servers. Retrieve the data from the server according to the (the blue potion in Fig. 2(b)). At last the user fills the received
bandwidth matrix and transmit it to the user, then restore all data into matrix (9) and recovers the secret in Shamir’s
secret symbols in a way of restoring one symbol per row. secret sharing method. Thus, the bandwidth utilization of
Eventually we will get all the secrets that can be recovered the recovering process is 100%, while the communication
in one second. rate is 5 symbol/s (the number of Matrix’s rows). We can
To better illustrate the process of adaptive bandwidth see from the comparison of this example that the adaptive
secret sharing schemes, we present an example. In addi- bandwidth scheme can get higher communication rate than
tion, we compare the adaptive bandwidth scheme with the original scheme for n = 3, k = 2 when the bandwidths are
non-adaptive scheme in the example to demonstrate the 2, 3, 5 symbol/s.
advantages of the adaptive scheme. Two important perfor- Example 5: For a (4, 2) Staircase code, assuming that the
mance metrics, bandwidth utilization and communication bandwidths from 4 servers to the user are 13, 7, 13, 4 symbol
rate, are involved in this example. Communication rate refers per second respectively.
to the number of symbols that the user recovers from the If we adopt the original non-adaptive Staircase codes,
servers per second during the communication phase, which we can only use the data of the first b/b1 = 2 symbols in
intuitively reflects the performance of secret sharing schemes. all n = 4 servers for twice, because this is the bandwidth
Example 4: For a (3, 2) Shamir’s secret sharing scheme, limit of the fourth server. Then the bandwidth utilization
assuming that the bandwidths from 3 servers to the user are of the recovering process is 16/37 = 43.2%, while the
2, 3, 5 symbol per second respectively. communication rate is b × 2 = 12 symbol/s. If we adopt
the adaptive bandwidth Staircase codes, we can obtain the
bandwidth matrix
 
2 2 2 2
2 2 2 2 
MB =  3 3 3 0  . (10)


6 0 6 0
like example 3. Similarly, the bandwidth utilization of the
recovering process is 100%, while the communication rate
is b × 4 = 24 symbol/s.

FIGURE 2. The process demonstration based on Shamir’s scheme.
The two figures in Fig. 2 show the demonstration of
non-adaptive and adaptive bandwidth scheme based on
Shamir’s scheme for n = 3, k = 2. If we adopt the original
non-adaptive bandwidth scheme, we will use the data in
servers of the first k = 2 fast bandwidth, i.e., the blue portion
of server B and server C in Fig. 2(a). Thus, the bandwidth
utilization of the recovering process is 6/10 = 60%, while
the communication rate is 3 symbol/s (data from the same
row of servers can recover one symbol). If we adopt the
adaptive bandwidth scheme, we can analyze the bandwidth
V. NUMERICAL ANALYSIS
In this section, we analyze the bandwidth utilization and
communication rate of non-adaptive Shamir’s scheme (SS),
non-adaptive Staircase codes (SC), adaptive Shamir’s scheme
and adaptive Staircase codes to show the performance differ-
ences in different situations.
A. CONSTRUCTION FROM SHAMIR’s SCHEME
To demonstrate the effectiveness of adaptive secret shar-
ing scheme, we calculate the average bandwidth utilization
and communication rates of original non-adaptive Shamir’s
schemes and adaptive Shamir’s schemes for (8, k) secret shar-
ing. We assume that the bandwidth of each server to the user
is arbitrary value in 0 to 10 symbol/s. The average bandwidth
utilization U b can be expressed as
P(x+1)n Busei
i=1 Bi
Ub = , (11)
(x + 1)n

VOLUME 8, 2020 108153

 H. Xiong et al.: Secure Secret Sharing With Adaptive Bandwidth in Distributed Cloud Storage Systems
where B represents the physical bandwidth of communication
line, Buse represents the bandwidth which is actually used and
x represents the upper bound of single bandwidth.
The average communication rates v can be expressed as
P(x+1)n
rows(MBi )
v = i=1 , (12)
(x + 1)n
where rows(MB ) represents the number of the bandwidth
matrix’s rows.
FIGURE 3. The average bandwidth utilization and average communication
rates of adaptive and non-adaptive Shamir’s schemes for n = 8.
Fig. 3(a) compares the average bandwidth utilization of
original non-adaptive scheme to that of adaptive scheme
for (8, k) Shamir’s scheme. In this scheme one needs to
store secret data in 8 different servers redundantly. Simi-
larly, Fig. 3(b) compares the average communication rates
under the same conditions. It’s not difficult to find that
the bandwidth utilization and communication rate of adap-
tive Shamir’s scheme are both significantly higher than that
of non-adaptive ones. And when the threshold n is fixed,
the smaller k is, the greater the difference of communication
rates are.
108154
B. CONSTRUCTION FROM STAIRCASE CODES
Staircase codes can obtain optimal communication and read
costs, hence we try to replace Shamir’s scheme with Staircase
codes in our construction. In order to highlight the differ-
ence, we compare the non-adaptive SS, the non-adaptive SC,
the adaptive SS and the adaptive SC together. In the com-
parison calculation, we find that the performance of adaptive
Staircase codes is not good in the case of lower bandwidth
upper bound. Therefore, we compare the bandwidth utiliza-
tion and communication rates under higher bandwidth bound,
which is more consistent with the practical situation.
FIGURE 4. The bandwidth utilization of non-adaptive scheme and
adaptive scheme using Shamir’s scheme or Staircase codes for
n = 8, k = 4. The x here represents the upper bound of bandwidth of
every server to the user. For example, when x = 10, each bandwidth is
limited in 0, 1, . . . , 10 symbol/s.
Fig. 4(a) compares the average bandwidth utilization of
non-adaptive scheme and adaptive schemes constructed from
Shamir’s scheme and Staircase codes for (8, 4) secret sharing,
while Fig. 4(b) compares the average communication rates
in the same case. We can observe that in the condition of
same bandwidth, after applying Staircase codes instead of
Shamir’s scheme, both non-adaptive scheme and adaptive
VOLUME 8, 2020
H. Xiong et al.: Secure Secret Sharing With Adaptive Bandwidth in Distributed Cloud Storage Systems
scheme will lead to the decrease of bandwidth utilization.
However, when the upper bound of the bandwidth is large
enough, the communication rate of the adaptive scheme using
SC increases instead, which is a gratifying result. It shows that
compared with the SS, the SC can achieve a more obvious
effect after using the adaptive scheme that the promotion of
average communication rate by adaptive SC is up to 216.61%
when x = 100. This means that switching to Staircase
codes in the proposed adaptive scheme can achieve higher
communication rate with less bandwidth cost.
According to the trend of poly-line graph in Fig. 4, we can
foresee that the proposed adaptive scheme can achieve better
results when the upper bound of bandwidth is larger. In order
to verify this conjecture, we compared the bandwidth uti-
lization and communication rates of the above four schemes
under different values of n and k when x = 1000 and
k = 0.5n.
FIGURE 5. The average bandwidth utilization and average
communication rates of adaptive and non-adaptive scheme constructed
from Shamir’s scheme or Staircase codes for x = 1000.
Fig. 5 shows that when the upper bound of bandwidth is
large enough, the problem of poor self-adaptability of SC
scheme at low bandwidth no longer exists, and the com-
munication rate improvement of SC scheme after adopt-
ing the adaptive algorithm is much higher than that of SS
VOLUME 8, 2020
scheme, which means that the proposed adaptive scheme can
improve SC scheme more obviously. In general, the adaptive
bandwidth secret sharing schemes constructed from Shamir’s
scheme and Staircase codes have their own features: Shamir’s
scheme can adapt the bandwidth with small calculation cost,
while Staircase codes can recover data more efficiently with
less bandwidth usage but at the expense of higher computa-
tion complexity.
VI. CONCLUSION
In this paper, we investigate the problem of adaptive band-
width of secret sharing in distributed cloud storage systems.
We propose a novel adaptive bandwidth scheme which can be
constructed from Shamir’s secret sharing scheme or Staircase
codes. No matter which secret sharing schemes is adopted,
the proposed scheme can achieve bandwidth self-adaption
between the user and the servers in distributed storage system
and greatly increases the communication rate when the upper
bound of bandwidth is large enough. In addition, the simula-
tion results show that the adaptive Staircase codes can obtain
higher communication rate and lower bandwidth cost than
adaptive Shamir’s scheme at the same time. In other words,
if the bandwidth condition is the same and the upper bound
is large enough, the scheme constructed from Staircase codes
can recover the secret more efficiently with lower bandwidth
but higher computational overhead. We note that although
the adaptive bandwidth scheme requires calculating the band-
width matrix and changing the combination of the down-
loaded data when the bandwidth changes, which will bring a
little bit extra computational overhead, it is insignificant com-
pared with the improvement of communication efficiency
since the time complexity of generating bandwidth matrix is
approximated to O(n). Furthermore, we speculate the features
of the adaptive bandwidth scheme are influenced by the secret
sharing algorithm which constructs the scheme. Thus, we can
construct the adaptive bandwidth scheme from other secret
sharing algorithm and might obtain other excellent features.
REFERENCES
[1] S. Kamara and K. Lauter, ‘‘Cryptographic cloud storage,’’ in Proc. Int.
Conf. Financial Cryptogr. Data Secur., Berlin, Heidelberg, Jan. 2010,
pp. 136–149.
[2] J. Ousterhout, A. Gopalan, A. Gupta, A. Kejriwal, C. Lee, B. Montazeri,
D. Ongaro, S. J. Park, H. Qin, M. Rosenblum, S. Rumble, R. Stutsman, and
S. Yang, ‘‘The RAMCloud storage system,’’ ACM Trans. Comput. Syst.,
vol. 33, no. 3, pp. 1–55, Sep. 2015.
[3] F. Chen and X. Shao, ‘‘Broken-motifs diffusion LMS algorithm for
reducing communication load,’’ Signal Process., vol. 133, pp. 213–218,
Apr. 2017.
[4] R. Shor, G. Yadgar, W. Huang, E. Yaakobi, and J. Bruck, ‘‘How to best
share a big secret,’’ in Proc. 11th ACM Int. Syst. Storage Conf., Jun. 2018,
pp. 76–88.
[5] J. K. Resch and J. S. Plank, ‘‘AONT-RS: Blending security and perfor-
mance in dispersed storage systems,’’ in Proc. USENIX Conf. File Stroage
Technol., Feb. 2011, pp. 191–202.
[6] M. W. Storer, K. M. Greenan, E. L. Miller, and K. Voruganti,
‘‘POTSHARDS—A secure, recoverable, long-term archival storage sys-
tem,’’ ACM Trans. Storage, vol. 5, no. 2, pp. 1–35, Jun. 2009.
[7] E. L. Miller, W. E. Freeman, D. D. E. Long, and B. C. Reed, ‘‘Strong secu-
rity for network-attached storage,’’ in Proc. USENIX Conf. File Storage
Technol., Feb. 2002, pp. 1–13.
108155
 H. Xiong et al.: Secure Secret Sharing With Adaptive Bandwidth in Distributed Cloud Storage Systems
[8] A. Shamir, ‘‘How to share a secret,’’ Commun. ACM, vol. 22, no. 11,
pp. 612–613, Nov. 1979.
[9] G. R. Blakley, ‘‘Safeguarding cryptographic keys,’’ in Proc. Int. Workshop
Manag. Requirements Knowl. (MARK), Jun. 1979, pp. 313–318.
[10] A. Bessani, M. Correia, B. Quaresma, F. André, and P. Sousa, ‘‘DepSky:
Dependable and secure storage in a cloud-of-clouds,’’ ACM Trans. Storage,
vol. 9, no. 4, pp. 31–46, Nov. 2013.
[11] Y. Hua, F. Chen, S. Deng, S. Duan, and L. Wang, ‘‘Secure distributed esti-
mation against false data injection attack,’’ Inf. Sci., vol. 515, pp. 248–262,
Apr. 2020.
[12] F. Chen, T. Shi, S. Duan, L. Wang, and J. Wu, ‘‘Diffusion least logarithmic
absolute difference algorithm for distributed estimation,’’ Signal Process.,
vol. 142, pp. 423–430, Jan. 2018.
[13] A. Bessani, R. Mendes, T. Oliveira, N. Neves, M. Correia, M. Pasin,
and P. Verissimo, ‘‘SCFS: A shared cloud-backed file system,’’ in Proc.
USENIX Annu. Tech. Conf., Jun. 2014, pp. 169–180.
[14] A. Beimel, ‘‘Secret-sharing schemes: A survey,’’ in Proc. 3rd Int. Workshop
Coding Cryptol. (IWCC), Qingdao, China, May 2011, pp. 11–46.
[15] I. Tamo, Z. Wang, and J. Bruck, ‘‘Zigzag codes: MDS array codes
with optimal rebuilding,’’ IEEE Trans. Inf. Theory, vol. 59, no. 3,
pp. 1597–1616, Mar. 2013.
[16] A. G. Dimakis, K. Ramchandran, Y. Wu, and C. Suh, ‘‘A survey on network
codes for distributed storage,’’ Proc. IEEE, vol. 99, no. 3, pp. 476–489,
Mar. 2011.
[17] K. V. Rashmi, N. B. Shah, and P. V. Kumar, ‘‘Optimal exact-regenerating
codes for distributed storage at the MSR and MBR points via a
product-matrix construction,’’ IEEE Trans. Inf. Theory, vol. 57, no. 8,
pp. 5227–5239, Aug. 2011.
[18] K. V. Rashmi, N. B. Shah, D. Gu, H. Kuang, D. Borthakur, and
K. Ramchandran, ‘‘A solution to the network challenges of data recovery
in erasure-coded distributed storage systems: A study on the Facebook
warehouse cluster,’’ in Proc. USENIX Conf. Hot Topics Storage File Syst.,
Jun. 2013, p. 8.
[19] S. Takahashi and K. Iwamura, ‘‘Secret sharing scheme suitable for cloud
computing,’’ in Proc. IEEE 27th Int. Conf. Adv. Inf. Netw. Appl. (AINA),
Mar. 2013, pp. 530–537.
[20] O. O. Koyluoglu, A. S. Rawat, and S. Vishwanath, ‘‘Secure cooperative
regenerating codes for distributed storage systems,’’ IEEE Trans. Inf. The-
ory, vol. 60, no. 9, pp. 5228–5244, Sep. 2014.
[21] R. Tandon, S. Amuru, T. C. Clancy, and R. M. Buehrer, ‘‘Toward optimal
secure distributed storage systems with exact repair,’’ IEEE Trans. Inf.
Theory, vol. 62, no. 6, pp. 3477–3492, Jun. 2016.
[22] K. V. Rashmi, N. B. Shah, and K. Ramchandran, ‘‘A piggybacking design
framework for read-and download-efficient distributed storage codes,’’
IEEE Trans. Inf. Theory, vol. 63, no. 9, pp. 5802–5820, Sep. 2017.
[23] J. Li, X. Tang, and C. Tian, ‘‘A generic transformation for optimal repair
bandwidth and rebuilding access in MDS codes,’’ in Proc. IEEE Int. Symp.
Inf. Theory (ISIT), Jun. 2017, pp. 1623–1627.
[24] R. Tajeddine and S. El Rouayheb, ‘‘Private information retrieval from MDS
coded data in distributed storage systems,’’ in Proc. IEEE Int. Symp. Inf.
Theory (ISIT), Jul. 2016, pp. 1411–1415.
[25] V. Sharma, S. Kalyanaraman, K. Kar, K. K. Ramakrishnan, and
V. Subramanian, ‘‘MPLOT: A transport protocol exploiting multipath
diversity using erasure codes,’’ in Proc. IEEE INFOCOM 27th Conf.
Comput. Commun., Apr. 2008, pp. 121–125.
[26] A. Parakh and S. Kak, ‘‘Space efficient secret sharing for implicit data
security,’’ Inf. Sci., vol. 181, no. 2, pp. 335–341, Jan. 2011.
[27] R. J. McEliece and D. V. Sarwate, ‘‘On sharing secrets and Reed–Solomon
codes,’’ Commun. ACM, vol. 24, no. 9, pp. 583–584, Sep. 1981.
[28] W. Huang, M. Langberg, J. Kliewer, and J. Bruck, ‘‘Communication
efficient secret sharing,’’ IEEE Trans. Inf. Theory, vol. 62, no. 12,
pp. 7195–7206, Dec. 2016.
[29] R. Bitar and S. E. Rouayheb, ‘‘Staircase codes for secret sharing with
optimal communication and read overheads,’’ IEEE Trans. Inf. Theory,
vol. 64, no. 2, pp. 933–943, Feb. 2018.
[30] R. Bitar, P. Parag, and S. El Rouayheb, ‘‘Minimizing latency for secure
distributed computing,’’ in Proc. IEEE Int. Symp. Inf. Theory (ISIT),
Jun. 2017, pp. 2900–2904.
[31] W. Huang and J. Bruck, ‘‘Secure RAID schemes for distributed storage,’’
in Proc. IEEE Int. Symp. Inf. Theory (ISIT), Jul. 2016, pp. 1401–1405.
[32] L. Xiang, Y. Xu, J. C. S. Lui, and Q. Chang, ‘‘Optimal recovery of single
disk failure in RDP code storage systems,’’ ACM SIGMETRICS Perform.
Eval. Rev., vol. 38, no. 1, pp. 119–130, Jun. 2010.
108156
[33] S. Pawar, S. El Rouayheb, and K. Ramchandran, ‘‘Securing dynamic
distributed storage systems against eavesdropping and adversarial attacks,’’
IEEE Trans. Inf. Theory, vol. 57, no. 10, pp. 6734–6753, Oct. 2011.
[34] A. S. Rawat, O. O. Koyluoglu, N. Silberstein, and S. Vishwanath, ‘‘Optimal
locally repairable and secure codes for distributed storage systems,’’ IEEE
Trans. Inf. Theory, vol. 60, no. 1, pp. 212–236, Jan. 2014.
[35] C. Huang, H. Simitci, Y. Xu, A. Ogus, B. Calder, P. Gopalan, J. Li, and
S. Yekhanin, ‘‘Erasure coding in windows azure storage,’’ in Proc. USENIX
Annu. Tech. Conf., Jun. 2012, pp. 15–26.
[36] D. Burihabwa, P. Felber, H. Mercier, and V. Schiavoni, ‘‘A performance
evaluation of erasure coding libraries for cloud-based data stores,’’ in
Proc. IFIP Int. Conf. Distrib. Appl. Interoper. Syst., Berlin, Heidelberg,
Jun. 2016, pp. 160–173.
[37] C. Lv, X. Jia, L. Tian, J. Jing, and M. Sun, ‘‘Efficient ideal threshold secret
sharing schemes based on EXCLUSIVE-OR operations,’’ in Proc. 4th Int.
Conf. Netw. Syst. Secur., Sep. 2010, pp. 136–143.
[38] Y. Wang, ‘‘Privacy-preserving data storage in cloud using array BP-XOR
codes,’’ IEEE Trans. Cloud Comput., vol. 3, no. 4, pp. 425–435, Oct. 2015.
HAILIANG XIONG (Member, IEEE) received
the B.Sc. and Ph.D. degrees in communication
and information systems from Xidian University,
Xi’an, China, in 2005 and 2011, respectively.
From 2009 to 2011, he was a Visiting Scholar
with The University of Sheffield, U.K., and the
University of Bedfordshire, U.K. From 2014 to
2015, he held a postdoctoral position with The
University of British Columbia, Canada. He is
currently an Associate Professor with the School
of Information Science and Engineering, Shandong University, Qingdao,
China. His research interests include privacy and security, artificial intel-
ligence, navigation and positioning, cognitive radio networks, interference
suppression, electronic warfare, and satellite communications.
CHANGWU HU (Student Member, IEEE)
received the B.Sc. degree from the School of
Information Science and Engineering, Shandong
University, Jinan, China, in 2017. He is currently
pursuing the M.S. degree with the School of
Information Science and Engineering, Shandong
University, Qingdao, China. His research interests
include the Internet of Things, wireless sensor
networks, distributed storage, information theory,
cryptography, and information security.
YUJUN LI (Member, IEEE) received the Ph.D.
degree from the Harbin Institute of Technology,
Harbin, China, in 2001. Since 2005, he has
been a Deputy Director with the State Key
Laboratory of Digital Multimedia Technology and
the Research and Development Center, Hisense
Group Company Ltd. He is currently a Full
Professor with the Department of Information
Science and Engineering, Shandong University,
Qingdao, China. His research interests include
deep learning, natural language processing, big data, artificial intelligence
algorithm, and sentiment analysis.
VOLUME 8, 2020
H. Xiong et al.: Secure Secret Sharing With Adaptive Bandwidth in Distributed Cloud Storage Systems
GUANGYUAN WANG (Student Member, IEEE)
received the B.Sc. degree from the School of
Electrical Engineering and Information, Dalian
Jiaotong University, Dalian, China, in 2017. He is
currently pursuing the M.S. degree with the School
of Information Science and Engineering, Shan-
dong University, Qingdao, China. His research
interests include the Internet of Things, wireless
sensor networks, physical layer security, cooper-
ative communication, distributed cloud storage,
electronic warfare, and information theory.
VOLUME 8, 2020
HONGCHAO ZHOU (Member, IEEE) received
the B.Sc. degree in physics and mathematics, and
the M.Sc. degree in control science and engi-
neering from Tsinghua University, Beijing, China,
in 2006 and 2008, respectively, and the M.Sc. and
Ph.D. degrees in electrical engineering from the
California Institute of Technology, Pasadena, CA,
USA, in 2009 and 2012, respectively. He is cur-
rently a Postdoctoral Researcher with the Research
Laboratory of Electronics, Massachusetts Institute
of Technology, Cambridge, MA, USA. He is also a Full Professor with the
Department of Information Science and Engineering, Shandong University,
Qingdao, China. His current research interests include information theory
and randomness, data storage, information security, and stochastic biological
networks. He was a recipient of the 2013 Charles Wilts Prize for the Best
Doctoral Thesis in electrical engineering from the California Institute of
Technology.
108157