Abstract

A distributed storage system (DSS) is a fundamental building block in many distributed applications. It applies linear network coding to achieve an optimal tradeoff between storage and repair bandwidth when node failures occur. Additively homomorphic encryption is compatible with linear network coding. The homomorphic property ensures that a linear combination of ciphertext messages decrypts to the same linear combination of the corresponding plaintext messages. In this paper, we construct a linearly homomorphic symmetric encryption scheme that is designed for a DSS. Our proposal provides simultaneous encryption and error correction by applying linear error correcting codes. We show its IND-CPA security for a limited number of messages based on binary Goppa codes and the following assumption: when dividing a scrambled generator matrix \(\mathbf{\widehat{G}}\) into two parts \(\mathbf{\widehat{G_1}}\) and \(\mathbf{\widehat{G_2}}\), it is infeasible to distinguish \(\mathbf{\widehat{G_2}}\) from random and to find a statistical connection between \(\mathbf{\widehat{G_1}}\) and \(\mathbf{\widehat{G_2}}\). Our infeasibility assumptions are closely related to those underlying the McEliece public key cryptosystem but are considerably weaker. We believe that the proposed problem has independent cryptographic interest.