Message-Locked Encryption and Secure Deduplication

We formalize a new cryptographic primitive that we call Message-Locked Encryption (MLE), where the key under which encryption and decryption are performed is itself derived from the message. MLE provides a way to achieve secure deduplication (space-efficient secure outsourced storage), a goal currently targeted by numerous cloudstorage providers. We provide definitions both for privacy and for a form of integrity that we call tag consistency. Based on this foundation, we make both practical and theoretical contributions. On the practical side, we provide ROM security analyses of a natural family of MLE schemes that includes deployed schemes. On the theoretical side the challenge is standard model solutions, and we make connections with deterministic encryption, hash functions secure on correlated inputs and the sample-then-extract paradigm to deliver schemes under different assumptions and for different classes of message sources. Our work shows that MLE is a primitive of both practical and theoretical interest.

[1]  Brian D. Noble,et al.  Proceedings of the 5th Symposium on Operating Systems Design and Implementation Pastiche: Making Backup Cheap and Easy , 2022 .

[2]  Serge Fehr,et al.  On Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles , 2008, CRYPTO.

[3]  Mihir Bellare,et al.  Deterministic and Efficiently Searchable Encryption , 2007, CRYPTO.

[4]  Mihir Bellare,et al.  Interactive Message-Locked Encryption and Secure Deduplication , 2015, Public Key Cryptography.

[5]  Le Zhang,et al.  Fast and Secure Laptop Backups with Encrypted De-duplication , 2010, LISA.

[6]  Mihir Bellare,et al.  Incremental Cryptography: The Case of Hashing and Signing , 1994, CRYPTO.

[7]  Adam O'Neill,et al.  Correlated-Input Secure Hash Functions , 2011, TCC.

[8]  Salil P. Vadhan,et al.  Constructing Locally Computable Extractors and Cryptosystems in the Bounded-Storage Model , 2003, Journal of Cryptology.

[9]  Christopher Batten,et al.  pStore: A Secure Peer-to-Peer Backup System∗ , 2007 .

[10]  Marvin Theimer,et al.  Reclaiming space from duplicate files in a serverless distributed file system , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[11]  David Powell,et al.  A Survey of Cooperative Backup Mechanisms , 2006 .

[12]  Yevgeniy Dodis,et al.  Salvaging Merkle-Damgard for Practical Applications , 2009, IACR Cryptol. ePrint Arch..

[13]  Rafail Ostrovsky,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, SIAM J. Comput..

[14]  Miguel Castro,et al.  Farsite: federated, available, and reliable storage for an incompletely trusted environment , 2002, OPSR.

[15]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[16]  Adam O'Neill,et al.  A Unified Approach to Deterministic Encryption: New Constructions and a Connection to Computational Entropy , 2012, Journal of Cryptology.

[17]  Brian Warner,et al.  Tahoe: the least-authority filesystem , 2008, StorageSS '08.

[18]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[19]  Darrell D. E. Long,et al.  Secure data deduplication , 2008, StorageSS '08.

[20]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[21]  Yang Tang,et al.  A Secure Cloud Backup System with Assured Deletion and Version Control , 2011, 2011 40th International Conference on Parallel Processing Workshops.

[22]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[23]  Benny Pinkas,et al.  Proofs of ownership in remote storage systems , 2011, CCS '11.

[24]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[25]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[26]  Paul Anderson,et al.  Fast and secure laptop backups with encrypted deduplication , 2010 .

[27]  Dawn Xiaodong Song,et al.  Practical techniques for searches on encrypted data , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[28]  Hovav Shacham,et al.  Hedged Public-Key Encryption: How to Protect against Bad Randomness , 2009, ASIACRYPT.

[29]  Adam O'Neill,et al.  Deterministic Encryption: Definitional Equivalences and Constructions without Random Oracles , 2008, CRYPTO.

[30]  Joe Kilian,et al.  How to Protect DES Against Exhaustive Key Search (an Analysis of DESX) , 2015, Journal of Cryptology.

[31]  Hovav Shacham,et al.  Careful with Composition: Limitations of the Indifferentiability Framework , 2011, EUROCRYPT.

[32]  Carlos J. Costa,et al.  Secure deduplication on mobile devices , 2011, OSDOC '11.

[33]  Chi-Jen Lu,et al.  Hyper-encryption against Space-Bounded Adversaries from On-Line Strong Extractors , 2002, CRYPTO.

[34]  Zvika Brakerski,et al.  Better Security for Deterministic Public-Key Encryption: The Auxiliary-Input Setting , 2011, Journal of Cryptology.

[35]  Luca Trevisan,et al.  Streaming computation of combinatorial objects , 2002, Proceedings 17th IEEE Annual Conference on Computational Complexity.

[36]  Rafail Ostrovsky,et al.  Public Key Encryption with Keyword Search , 2004, EUROCRYPT.

[37]  Noam Nisan,et al.  Randomness is Linear in Space , 1996, J. Comput. Syst. Sci..

[38]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[39]  Daniel Wichs,et al.  Barriers in cryptography with weak, correlated and leaky sources , 2013, ITCS '13.

[40]  ABS : The Apportioned Backup System , 2004 .

[41]  Jia Xu,et al.  Weak leakage-resilient client-side deduplication of encrypted data in cloud storage , 2013, ASIA CCS '13.

[42]  Benny Pinkas,et al.  Side Channels in Cloud Services: Deduplication in Cloud Storage , 2010, IEEE Security & Privacy.

[43]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.