message-locked encryption and secure...
TRANSCRIPT
Message-Locked EncryptionandSecure Deduplication
1
Mihir Bellare1
Sriram Keelveedhi1
Thomas Ristenpart2
1University of California, San Diego2University of Wisconsin-Madison
Eurocrypt 2013
Deduplication
2
Storage size after π uploads
No deduplication πͺ(π β |π|)
Deduplication πͺ(|π|)
Bob
Store π iff new
π π
Alice
Server
Store π iff new
Google Drive
Storage savings [MB11]
Backup systems 87%
Corporate networks 50%
Avoid storing multiple copies of the same data
Outsourced storage service
Dedup doesnβt work with client-side encryption
3
ππ΄ ππ΅
ππ΄ β E(ππ΄, π) ππ΅ β E(ππ΅, π)
β° = (K, E, D): Symmetric encryption scheme Bob
Store π iff new
Alice
Server
Store π iff new
ππ΄ ππ΅ππ΄
Cross-user decryption not possible, Bob still cannot decrypt ππ΄
βServer has to store both ππ΅ and ππ΄
Possible fix: Attach file hash H(π) to ciphertext?
Pr ππ΅ = ππ΄ is negligible Security of symmetric encryption
Det. PKE [BBO07, MPRS12]Searchable SE [SWP00]Searchable PKE [BBO07]
Rules out
Bob cannot decrypt ππ΄with ππ΅
{
Convergent encryption
ππ΄ ππ΅
ππ΄ β E(H(π), π) ππ΅ β E H π , π= ππ΄
Bob
Store π iff new
Alice
Server
Store π iff new
ππ΄ ππ΅ππ΄
Bob can decrypt ππ¨ with π = H(π)
π
π
π― ππ
Recipe1. π»: 0,1 β β 0,1 π: Hash function2. β° = (K, E, D): Encryption scheme with π-bit keys
Internet forums,
[DABST02]
Cloud storage
Filesystems Farsite [ABCG*02]
GNUNet
Backup [CTP04][CMN02] [KCP06]
Others [AZ10] [BBST01] [MC11][RCTLL11] [SGLM08]
5
CE has found wide useβ¦
β¦ despite unclear security guarantees
Convergent Encryption
6
β’ What kind of security can schemes like CE provide?β’ Are the deployed schemes/variants secure?
CE seems to be widely used, butβ¦
No cryptographic treatment for deduplication over encrypted data
We donβt know!
Our work answers these questions
How to supportβ’ Equality checking/deduplication?β’ Cross-user decryption?
Syntax of such schemes?
Best possible security?
Our work
1. Message-Locked Encryptionβ’ Syntax and correctness
β’ Security goals and notions
7
2. Practical contributionsβ’ Attacks and proofs for CE and variants
β’ New, faster schemes
3. Theoretical contributionsβ’ Standard model MLE schemes from
correlated-input hashes and deterministic-PKE
β’ Relating MLE and other cryptographic primitives
A cryptographic framework for schemes which achievededup over ciphertexts
Message-Locked Encryption
π
π
π
π ππ
Message-derived key
8
π
Key used for encryption is derived from the message itself
π π‘ Tagπ π Public parameter
π, E, K randomizedπ·, π deterministic
MLE Scheme β³ = (P, K, E, D, T)
Convergent encryption as an MLE scheme
π
π
π
π ππ
9
π
π π‘π π Random 128-bit string
πΆβ° = (P, K2, E2, D2, T)
1. π»: 0,1 β β 0,1 π: Hash function2. β° = (K, E, D): Encryption scheme with π-bit keys
Recipe
We will revisit πΆβ° to talk about security
Secure outsourced storage using MLE
Alice Bob
Server
1. MLE Scheme β³ = P, E, K, D, T
Recipe
2. SE Scheme π = (K2, E2, D2)
ππ΄, ππ΄β²
Upload(ππ©, ππ©β² )
Store (π)
πππ΅ β K π
π β E πππ΅ , π
cπ΅ β E2 ππ΅ , πππ΅
πππ΅ β D2 ππ΅, πβ²π΅
π β D πππ΅ , ππ΄
Retreive (ππ©, ππ¨, ππ©β² )
ππ΅ , ππ΅β²
Store (π)
πππ΄ β K π
ππ΄ β E πππ΄, π
If T ππ΄ β T ππ΅Store ππ΅
Store ππ΅β²
ππ΄, ππ΄β²ππ΄, ππ΄
β² , ππ΅β²
ππ΄β² β E2 ππ΄, ππ
π΄
ππ΄, ππ΅β²
Requirements1. π β D ππ
π΅, ππ΄2. π ππ΄ = π ππ΅3. ππ
π΄ = πππ΅ βͺ |π|
Bob recovers π
Deduplication
Storage = |π| + Ξ±
MLE Correctness
ππ π
π ππ
π π‘
MLE Scheme β³ = (P, E, K, D, T)
11
π
1. Decryption correctness Any key π derived from π can decrypt any π-ciphertext π
2. Tag correctness All π ciphertexts π produce the same tag π‘
3. Non-triviality All keys π are of the same, fixed length
D π, π = π β valid messages π, βπ β K π , βπ β E π,π
A π₯1, β¦ : Set of all outputs of π΄ on π₯1, β¦
T π1 = T(π2) β π, βπ1, π2 β K π , βπ1 β E π1, π , βπ2 β E π2, π
|K π | = π β π, βπ β K π
Security, informally
ππ π
π π π π‘
MLE Scheme β³ = (P, E, K, D, T)
12
1. PrivacyChosen Distribution vs. Random (CDR)If π has high min-entropy, πindistinguishable from random
2. Consistent tagsTag Consistency (TC)Hard to find πβ² that does not decrypt to π but has same tag as π
Attack runtime = π β π
Can we get IND-CPA style privacy for MLE?
For ππ β π doπβ² β D K ππ , πIf ππ = πβ²then return ππ
BruteForcππ(π)
Consider a set π = {π1, π2, β¦ ,ππ}
Given π β E K ππ , ππ where π β {1,2, β¦ , π}Find ππ
Has to be super-polynomial
Privacy not possible for predictable messages
No!
A generic brute-force attack:
Message recovery security: MRπ,β³
MLE Scheme β³ = (P, E, K, D, T)
Weaker than IND-CPA
Privacy: The CDR notion
π β P(); π β 0,1 ; (π1, β¦ ,ππ) β D()For π = 1 to π
ππ β K ππ ; ππ1β E ππ , ππ ;
ππ0β {0,1} ππ
1
No efficient adversary can distinguish encryptions of unpredictable messages from random strings
π¨ππ§π’π
π π’π§ Return (πβ² = π)πβ²
π, π1π , β¦ , ππ
π
π¨π π A,D = 2 β Pr CDR(D, A) β true β 1
Security: No efficient π΄ has non-negligible advantage for any unpredictable π·
CDR(A, D)
14
MLE Scheme β³ = (P, E, K, D, T)
Notion Primitive Style SQ β MQ
IND[BFOR08] D-PKE Left-Right indist. No
CDA[BBNRSSY09] PKE Left-Right indist. No
CDR [BKR13] MLE Real-random indist. Yes
Comparing with notions that need unpredictability (Discussion in paper)
SQ : Single-query, MQ : Multi-query
D is unpredictable if βπΏ β negl s.t. Pr[πβ² β {π1, β¦ , ππ} βΆ π1, β¦ ,ππ β D()] β€ πΏ βπβ²
Deduplicability vs. PrivacyDeduplication
Only when messages repeat
15
Privacy
Only when messages unpredictable
Inherent to secure deduplication β CDR provides best possible security
Encryption for Deduplicated Storage with DupLESS
USENIX Security 2013 Bellare, Keelveedhi, Ristenpart
Security for predictable messages
Data unpredictable to attacker,
not to legitimate clients
Large random file π
Server
A possible contradiction? NO!
Attacker
CiphertextShared fileπ
β’ Shared among group of clients
β’ Unknown to attacker
Duplicate faking attacks
πβ²
πβ²
16
Server
Evil dude
π β E πΎ(π), πGet πβ² that not decrypt to π
s.t. T πβ² = T π
π
1. Attacker stores πβ²2. Alice tries to store π, server already has a matching ciphertext πβ²3. When Alice downloads πβ² it decrypts to πβ² β π
Note: No unpredictability requirement
Alice
π
Store π if T(π) is new
π
Noted in [SGL08]
Tag Consistency
π β P()
No efficient adversary can find two ciphertexts with matching tagsthat decrypt to different messages
π¨
ππ§π’π
π π’π§ππ₯π’π³π π β K π ;πβ² β D(π, πβ²)π‘ β T E(π, π) ; π‘β² β T πΆβ²
If π‘ β π‘β²then return falseIf π = πβ²then return falseIf πβ² =β₯ then return falseReturn true
π, πβ²
π
π¨π πππ π΄ = Pr TC(π΄) β true
Security: No efficient π΄ has non-negligible TC advantage.
TC A
17
MLE Scheme β³ = (P, E, K, D, T)
In the paper: A stronger tag consistency notion STC
Our work
1. Message-Locked Encryptionβ’ Syntax and correctness
β’ Security goals and notions
18
2. Practical contributionsβ’ Attacks and proofs for CE and variants
β’ New, faster schemes
3. Theoretical contributionsβ’ Standard model MLE schemes from
correlated-input hashes and deterministic-PKE
β’ Relating MLE and other cryptographic primitives
Convergent Encryption
π
π
π― π π‘π π―π
19
Encryption in CE
πΆβ° = (P, K2, E2, D2, T)
1. π»: 0,1 β β 0,1 π: Hash function2. β° = (K, E, D): Encryption scheme with π-bit keys
Thm: πΆβ° is CDR secure in the ππ model if β° is Real-or-Random secure and Key-Recovery secure.
Thm: πΆβ° is TC secure in the standard model if H is a CR hash.
Recipe
In the paper
Security of other variants of CE, fixes for tag consistency vulnerabilities
Randomized CE One pass, randomized MLE scheme
Eπ π1
π2
β
H1
π1
π H2
π‘ππ H3
20
1. H1, H2, H3: 0,1β β 0,1 π: Hash functions
2. β° = (K, E, D): Encryption scheme with π-bit keys
Thm: π πΆβ° is CDR secure in the ππ model if β° is Real-or-Random secure and Key-Recovery secure.
Thm: π πΆβ° is TC secure in the ππ model.
Key generation and encryption KE2(π, π; β)
Recipe
In the paper: Comparison of performance of CE schemes. RCE is fastest.
Our work
1. Message-Locked Encryptionβ’ Syntax and correctness
β’ Security goals and notions
21
2. Practical contributionsβ’ Attacks and proofs for CE and variants
β’ New, faster schemes
3. Theoretical contributionsβ’ Standard model MLE schemes from
correlated-input hashes and deterministic-PKE
β’ Relating MLE and other cryptographic primitives
eXtract Hash and Check
π
πΏπ1π―π
22
Encryption in XHC
XHC[π», π] = (P, K, E, D, T)
1. π»: 0,1 β β 0,1 π: Hash function2. π: 0,1 π Γ 0,1 β β 0,1 π: Extractor
Thm: XHC[π», π] is CDRβ secure if π» is a correlated input hash and π is a strong randomness extractor.
Thm: XHC[π», π] is TC secure.
π1, β¦ ,ππ , β¦ ,ππ
π|β¨πβ©|ππ
π2
π1, β¦ , ππ , β¦ , ππ
Recipe Correlated-inputhashes [GOR11]
Decryption in XHC For π = 1 to πIf π|β¨πβ©|0 = ππ then ππ = 1Else ππ = 0Return π1| π2| β¦ | ππ
π
If inputs are unpredictable,hashes are pseudorandom
Standard model schemes and relations
23
Correlated-inputhashes
[GOR11]
MLE
Deterministic PKE[BBO07]
XHC
SXE:Sample-Extract-Encrypt
Secure only for independent message-distributions
MLE from extractors and symmetric encryption
In the paper:
Caveat: Donβt know how to build these in standard model with best possible security
[Wi13]Hard to build
Recap
1. Message-Locked Encryptionβ’ Syntax and correctness
β’ Security goals and notions
24
2. Practical contributionsβ’ Attacks and proofs for CE and variants
β’ New, faster schemes
3. Theoretical contributionsβ’ Standard model MLE schemes from
correlated-input hashes and deterministic-PKE
β’ Relating MLE and other cryptographic primitives
A cryptographic framework for schemes which achievededup over ciphertexts
Thank you!
25
Sriram [email protected]
Full version: eprint.iacr.org/2012/631
Follow up
β’ Encryption for Deduplicated Storage with DupLESSβ’ USENIX Security 2013
β’ Message-Locked Encryption for lock-dependent messagesβ’ Abadi, Boneh, Mironov, Raghunathan and Segev in CRYPTO 2013
β’ Several interesting open problems