On Security Properties of All-or-nothing Transforms

All-or-nothing transforms have been defined as bijective mappings on all s-tuples over a specified finite alphabet. These mappings are required to satisfy certain "perfect security" conditions specified using entropies of the probability distribution defined on the input s-tuples. Alternatively, purely combinatorial definitions of AONTs have been given, which involve certain kinds of "unbiased arrays". However, the combinatorial definition makes no reference to probability definitions. In this paper, we examine the security provided by AONTs that satisfy the combinatorial definition. The security of the AONT can depend on the underlying probability distribution of the s-tuples. We show that perfect security is obtained from an AONT if and only if the input s-tuples are equiprobable. However, in the case where the input s-tuples are not equiprobable, we still achieve a weaker security guarantee. We also consider the use of randomized AONTs to provide perfect security for a smaller number of inputs, even when those inputs are not equiprobable

Generalizations of All-or-Nothing Transforms and their Application in Secure Distributed Storage

An all-or-nothing transform is an invertible function that maps s inputs to s outputs such that, in the calculation of the inverse, the absence of only one output makes it impossible for an adversary to obtain any information about any single input. In this thesis, we generalize this structure in several ways motivated by different applications, and for each generalization, we provide some constructions. For a particular generalization, where we consider the security of t input blocks in the absence of t output blocks, namely, t-all-or-nothing transforms, we provide two applications. We also define a closeness measure and study structures that are close to t-all-or-nothing transforms. Other generalizations consider the situations where: i) t covers a range of values and the structure maintains its t-all-or-nothingness property for all values of t in that range; ii) the transform provides security for a smaller, yet fixed, number of inputs than the number of absent outputs; iii) the missing output blocks are only from a fixed subset of the output blocks; and iv) the transform generates n outputs so that it can still reconstruct the inputs as long as s outputs are available. In the last case, the absence of n-s+t outputs can protect the security of any t inputs. For each of these transforms, various existence and non-existence results, as well as bounds and equivalence results are presented. We finish with proposing an application of generalization (iv) in secure distributed storage