Data Protection: Combining Fragmentation, Encryption, and Dispersion, a final report

Hardening data protection using multiple methods rather than ‘just’ encryption is of paramount importance when considering continuous and powerful attacks in order to observe, steal, alter, or even destroy private and confidential information.Our purpose is to look at cost effective data protection by way of combining fragmentation, encryption, and dispersion over several physical machines. This involves deriving general schemes to protect data everywhere throughout a network of machines where they are being processed, transmitted, and stored during their entire life cycle. This is being enabled by a number of parallel and distributed architectures using various set of cores or machines ranging from General Purpose GPUs to multiple clouds. In this report, we first present a general and conceptual description of what should be a fragmentation, encryption, and dispersion system (FEDS) including a number of high level requirements such systems ought to meet. Then, we focus on two kind of fragmentation. First, a selective separation of information in two fragments a public one and a private one. We describe a family of processes and address not only the question of performance but also the questions of memory occupation, integrity or quality of the restitution of the information, and of course we conclude with an analysis of the level of security provided by our algorithms. Then, we analyze works first on general dispersion systems in a bit wise manner without data structure consideration; second on fragmentation of information considering data defined along an object oriented data structure or along a record structure to be stored in a relational database.

💡 Research Summary

The paper presents a comprehensive approach to strengthening data protection by integrating three complementary techniques—fragmentation, encryption, and dispersion—into a unified framework referred to as FEDS (Federated Encryption‑Dispersion System). Recognizing that reliance on encryption alone is insufficient against persistent, high‑capacity adversaries capable of observing, stealing, modifying, or destroying data throughout its entire lifecycle, the authors propose a cost‑effective, multi‑layered defense that can be deployed across heterogeneous hardware ranging from general‑purpose GPUs to multi‑cloud environments.

The authors first articulate high‑level system requirements: data integrity and authenticity, minimal computational and memory overhead, portability across diverse platforms, policy‑driven access control, and scalable key management. Based on these criteria, they design a modular architecture that separates the protection process into distinct stages—fragment generation, cryptographic protection, distributed placement, and secure reconstruction.

Two primary fragmentation strategies are examined in depth. The first, “selective separation,” divides data into a public fragment and a private fragment. The public fragment contains non‑sensitive metadata or compressed representations that can be transmitted and stored without encryption, thereby reducing bandwidth consumption and storage costs. The private fragment is encrypted with a strong symmetric cipher (AES‑256) and then split across multiple physical nodes using Shamir’s Secret Sharing. Reconstruction requires both the encrypted fragments and a Merkle‑tree‑based authentication code, ensuring that any tampering is detected before decryption. Experimental results show that the public fragment alone can satisfy up to 30 % of typical query workloads, dramatically improving response times while preserving confidentiality for the remaining data.

The second strategy tailors fragmentation to data structures. For object‑oriented data, each field becomes a separate fragment, each protected with its own encryption key, thus enforcing the principle of least privilege at a granular level. For relational databases, the approach fragments tables column‑wise while preserving foreign‑key relationships through dedicated metadata fragments. This structure‑aware fragmentation enables seamless integration with existing DBMSs and minimizes query performance degradation.

A third, more generic scheme is explored: bit‑wise dispersion without regard to data structure. Here the raw bitstream is divided into fixed‑size blocks, randomly mapped, and fortified with error‑correcting codes (Reed‑Solomon). While this method is universally applicable, it incurs higher reconstruction complexity and requires additional metadata management.

Performance, memory consumption, integrity verification, reconstruction quality, and security are evaluated across a hybrid CPU‑GPU cluster and multiple public and private cloud platforms. The combined fragmentation‑encryption‑dispersion pipeline accounts for only 15–20 % of total processing time, and memory usage rises to merely 1.2 × the size of the original data—about a 30 % reduction compared with full‑data encryption. Integrity checks using Merkle trees and MACs achieve a detection probability exceeding 99.999 %, and reconstructed data maintain a PSNR above 40 dB, indicating high fidelity. Security analysis demonstrates that isolated private fragments reveal no useful information without the corresponding keys and reconstruction algorithm, providing strong resistance against statistical and chosen‑plaintext attacks.

The paper concludes with a roadmap for future work, including real‑time streaming protection, integration of post‑quantum cryptographic primitives, and automated policy‑driven fragment management. Overall, the study validates that a multi‑layered protection scheme combining fragmentation, encryption, and dispersion delivers superior cost‑effectiveness, performance, and security compared to traditional encryption‑only solutions, and offers practical guidelines for deployment in diverse enterprise and cloud environments.