message-locked encryption and secure...
TRANSCRIPT
![Page 1: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/1.jpg)
Message-Locked EncryptionandSecure Deduplication
1
Mihir Bellare1
Sriram Keelveedhi1
Thomas Ristenpart2
1University of California, San Diego2University of Wisconsin-Madison
Eurocrypt 2013
![Page 2: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/2.jpg)
Deduplication
2
Storage size after π uploads
No deduplication πͺ(π β |π|)
Deduplication πͺ(|π|)
Bob
Store π iff new
π π
Alice
Server
Store π iff new
Google Drive
Storage savings [MB11]
Backup systems 87%
Corporate networks 50%
Avoid storing multiple copies of the same data
Outsourced storage service
![Page 3: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/3.jpg)
Dedup doesnβt work with client-side encryption
3
ππ΄ ππ΅
ππ΄ β E(ππ΄, π) ππ΅ β E(ππ΅, π)
β° = (K, E, D): Symmetric encryption scheme Bob
Store π iff new
Alice
Server
Store π iff new
ππ΄ ππ΅ππ΄
Cross-user decryption not possible, Bob still cannot decrypt ππ΄
βServer has to store both ππ΅ and ππ΄
Possible fix: Attach file hash H(π) to ciphertext?
Pr ππ΅ = ππ΄ is negligible Security of symmetric encryption
Det. PKE [BBO07, MPRS12]Searchable SE [SWP00]Searchable PKE [BBO07]
Rules out
Bob cannot decrypt ππ΄with ππ΅
{
![Page 4: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/4.jpg)
Convergent encryption
ππ΄ ππ΅
ππ΄ β E(H(π), π) ππ΅ β E H π , π= ππ΄
Bob
Store π iff new
Alice
Server
Store π iff new
ππ΄ ππ΅ππ΄
Bob can decrypt ππ¨ with π = H(π)
π
π
π― ππ
Recipe1. π»: 0,1 β β 0,1 π: Hash function2. β° = (K, E, D): Encryption scheme with π-bit keys
Internet forums,
[DABST02]
![Page 5: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/5.jpg)
Cloud storage
Filesystems Farsite [ABCG*02]
GNUNet
Backup [CTP04][CMN02] [KCP06]
Others [AZ10] [BBST01] [MC11][RCTLL11] [SGLM08]
5
CE has found wide useβ¦
β¦ despite unclear security guarantees
![Page 6: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/6.jpg)
Convergent Encryption
6
β’ What kind of security can schemes like CE provide?β’ Are the deployed schemes/variants secure?
CE seems to be widely used, butβ¦
No cryptographic treatment for deduplication over encrypted data
We donβt know!
Our work answers these questions
How to supportβ’ Equality checking/deduplication?β’ Cross-user decryption?
Syntax of such schemes?
Best possible security?
![Page 7: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/7.jpg)
Our work
1. Message-Locked Encryptionβ’ Syntax and correctness
β’ Security goals and notions
7
2. Practical contributionsβ’ Attacks and proofs for CE and variants
β’ New, faster schemes
3. Theoretical contributionsβ’ Standard model MLE schemes from
correlated-input hashes and deterministic-PKE
β’ Relating MLE and other cryptographic primitives
A cryptographic framework for schemes which achievededup over ciphertexts
![Page 8: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/8.jpg)
Message-Locked Encryption
π
π
π
π ππ
Message-derived key
8
π
Key used for encryption is derived from the message itself
π π‘ Tagπ π Public parameter
π, E, K randomizedπ·, π deterministic
MLE Scheme β³ = (P, K, E, D, T)
![Page 9: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/9.jpg)
Convergent encryption as an MLE scheme
π
π
π
π ππ
9
π
π π‘π π Random 128-bit string
πΆβ° = (P, K2, E2, D2, T)
1. π»: 0,1 β β 0,1 π: Hash function2. β° = (K, E, D): Encryption scheme with π-bit keys
Recipe
We will revisit πΆβ° to talk about security
![Page 10: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/10.jpg)
Secure outsourced storage using MLE
Alice Bob
Server
1. MLE Scheme β³ = P, E, K, D, T
Recipe
2. SE Scheme π = (K2, E2, D2)
ππ΄, ππ΄β²
Upload(ππ©, ππ©β² )
Store (π)
πππ΅ β K π
π β E πππ΅ , π
cπ΅ β E2 ππ΅ , πππ΅
πππ΅ β D2 ππ΅, πβ²π΅
π β D πππ΅ , ππ΄
Retreive (ππ©, ππ¨, ππ©β² )
ππ΅ , ππ΅β²
Store (π)
πππ΄ β K π
ππ΄ β E πππ΄, π
If T ππ΄ β T ππ΅Store ππ΅
Store ππ΅β²
ππ΄, ππ΄β²ππ΄, ππ΄
β² , ππ΅β²
ππ΄β² β E2 ππ΄, ππ
π΄
ππ΄, ππ΅β²
Requirements1. π β D ππ
π΅, ππ΄2. π ππ΄ = π ππ΅3. ππ
π΄ = πππ΅ βͺ |π|
Bob recovers π
Deduplication
Storage = |π| + Ξ±
![Page 11: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/11.jpg)
MLE Correctness
ππ π
π ππ
π π‘
MLE Scheme β³ = (P, E, K, D, T)
11
π
1. Decryption correctness Any key π derived from π can decrypt any π-ciphertext π
2. Tag correctness All π ciphertexts π produce the same tag π‘
3. Non-triviality All keys π are of the same, fixed length
D π, π = π β valid messages π, βπ β K π , βπ β E π,π
A π₯1, β¦ : Set of all outputs of π΄ on π₯1, β¦
T π1 = T(π2) β π, βπ1, π2 β K π , βπ1 β E π1, π , βπ2 β E π2, π
|K π | = π β π, βπ β K π
![Page 12: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/12.jpg)
Security, informally
ππ π
π π π π‘
MLE Scheme β³ = (P, E, K, D, T)
12
1. PrivacyChosen Distribution vs. Random (CDR)If π has high min-entropy, πindistinguishable from random
2. Consistent tagsTag Consistency (TC)Hard to find πβ² that does not decrypt to π but has same tag as π
![Page 13: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/13.jpg)
Attack runtime = π β π
Can we get IND-CPA style privacy for MLE?
For ππ β π doπβ² β D K ππ , πIf ππ = πβ²then return ππ
BruteForcππ(π)
Consider a set π = {π1, π2, β¦ ,ππ}
Given π β E K ππ , ππ where π β {1,2, β¦ , π}Find ππ
Has to be super-polynomial
Privacy not possible for predictable messages
No!
A generic brute-force attack:
Message recovery security: MRπ,β³
MLE Scheme β³ = (P, E, K, D, T)
Weaker than IND-CPA
![Page 14: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/14.jpg)
Privacy: The CDR notion
π β P(); π β 0,1 ; (π1, β¦ ,ππ) β D()For π = 1 to π
ππ β K ππ ; ππ1β E ππ , ππ ;
ππ0β {0,1} ππ
1
No efficient adversary can distinguish encryptions of unpredictable messages from random strings
π¨ππ§π’π
π π’π§ Return (πβ² = π)πβ²
π, π1π , β¦ , ππ
π
π¨π π A,D = 2 β Pr CDR(D, A) β true β 1
Security: No efficient π΄ has non-negligible advantage for any unpredictable π·
CDR(A, D)
14
MLE Scheme β³ = (P, E, K, D, T)
Notion Primitive Style SQ β MQ
IND[BFOR08] D-PKE Left-Right indist. No
CDA[BBNRSSY09] PKE Left-Right indist. No
CDR [BKR13] MLE Real-random indist. Yes
Comparing with notions that need unpredictability (Discussion in paper)
SQ : Single-query, MQ : Multi-query
D is unpredictable if βπΏ β negl s.t. Pr[πβ² β {π1, β¦ , ππ} βΆ π1, β¦ ,ππ β D()] β€ πΏ βπβ²
![Page 15: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/15.jpg)
Deduplicability vs. PrivacyDeduplication
Only when messages repeat
15
Privacy
Only when messages unpredictable
Inherent to secure deduplication β CDR provides best possible security
Encryption for Deduplicated Storage with DupLESS
USENIX Security 2013 Bellare, Keelveedhi, Ristenpart
Security for predictable messages
Data unpredictable to attacker,
not to legitimate clients
Large random file π
Server
A possible contradiction? NO!
Attacker
CiphertextShared fileπ
β’ Shared among group of clients
β’ Unknown to attacker
![Page 16: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/16.jpg)
Duplicate faking attacks
πβ²
πβ²
16
Server
Evil dude
π β E πΎ(π), πGet πβ² that not decrypt to π
s.t. T πβ² = T π
π
1. Attacker stores πβ²2. Alice tries to store π, server already has a matching ciphertext πβ²3. When Alice downloads πβ² it decrypts to πβ² β π
Note: No unpredictability requirement
Alice
π
Store π if T(π) is new
π
Noted in [SGL08]
![Page 17: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/17.jpg)
Tag Consistency
π β P()
No efficient adversary can find two ciphertexts with matching tagsthat decrypt to different messages
π¨
ππ§π’π
π π’π§ππ₯π’π³π π β K π ;πβ² β D(π, πβ²)π‘ β T E(π, π) ; π‘β² β T πΆβ²
If π‘ β π‘β²then return falseIf π = πβ²then return falseIf πβ² =β₯ then return falseReturn true
π, πβ²
π
π¨π πππ π΄ = Pr TC(π΄) β true
Security: No efficient π΄ has non-negligible TC advantage.
TC A
17
MLE Scheme β³ = (P, E, K, D, T)
In the paper: A stronger tag consistency notion STC
![Page 18: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/18.jpg)
Our work
1. Message-Locked Encryptionβ’ Syntax and correctness
β’ Security goals and notions
18
2. Practical contributionsβ’ Attacks and proofs for CE and variants
β’ New, faster schemes
3. Theoretical contributionsβ’ Standard model MLE schemes from
correlated-input hashes and deterministic-PKE
β’ Relating MLE and other cryptographic primitives
![Page 19: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/19.jpg)
Convergent Encryption
π
π
π― π π‘π π―π
19
Encryption in CE
πΆβ° = (P, K2, E2, D2, T)
1. π»: 0,1 β β 0,1 π: Hash function2. β° = (K, E, D): Encryption scheme with π-bit keys
Thm: πΆβ° is CDR secure in the ππ model if β° is Real-or-Random secure and Key-Recovery secure.
Thm: πΆβ° is TC secure in the standard model if H is a CR hash.
Recipe
In the paper
Security of other variants of CE, fixes for tag consistency vulnerabilities
![Page 20: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/20.jpg)
Randomized CE One pass, randomized MLE scheme
Eπ π1
π2
β
H1
π1
π H2
π‘ππ H3
20
1. H1, H2, H3: 0,1β β 0,1 π: Hash functions
2. β° = (K, E, D): Encryption scheme with π-bit keys
Thm: π πΆβ° is CDR secure in the ππ model if β° is Real-or-Random secure and Key-Recovery secure.
Thm: π πΆβ° is TC secure in the ππ model.
Key generation and encryption KE2(π, π; β)
Recipe
In the paper: Comparison of performance of CE schemes. RCE is fastest.
![Page 21: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/21.jpg)
Our work
1. Message-Locked Encryptionβ’ Syntax and correctness
β’ Security goals and notions
21
2. Practical contributionsβ’ Attacks and proofs for CE and variants
β’ New, faster schemes
3. Theoretical contributionsβ’ Standard model MLE schemes from
correlated-input hashes and deterministic-PKE
β’ Relating MLE and other cryptographic primitives
![Page 22: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/22.jpg)
eXtract Hash and Check
π
πΏπ1π―π
22
Encryption in XHC
XHC[π», π] = (P, K, E, D, T)
1. π»: 0,1 β β 0,1 π: Hash function2. π: 0,1 π Γ 0,1 β β 0,1 π: Extractor
Thm: XHC[π», π] is CDRβ secure if π» is a correlated input hash and π is a strong randomness extractor.
Thm: XHC[π», π] is TC secure.
π1, β¦ ,ππ , β¦ ,ππ
π|β¨πβ©|ππ
π2
π1, β¦ , ππ , β¦ , ππ
Recipe Correlated-inputhashes [GOR11]
Decryption in XHC For π = 1 to πIf π|β¨πβ©|0 = ππ then ππ = 1Else ππ = 0Return π1| π2| β¦ | ππ
π
If inputs are unpredictable,hashes are pseudorandom
![Page 23: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/23.jpg)
Standard model schemes and relations
23
Correlated-inputhashes
[GOR11]
MLE
Deterministic PKE[BBO07]
XHC
SXE:Sample-Extract-Encrypt
Secure only for independent message-distributions
MLE from extractors and symmetric encryption
In the paper:
Caveat: Donβt know how to build these in standard model with best possible security
[Wi13]Hard to build
![Page 24: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/24.jpg)
Recap
1. Message-Locked Encryptionβ’ Syntax and correctness
β’ Security goals and notions
24
2. Practical contributionsβ’ Attacks and proofs for CE and variants
β’ New, faster schemes
3. Theoretical contributionsβ’ Standard model MLE schemes from
correlated-input hashes and deterministic-PKE
β’ Relating MLE and other cryptographic primitives
A cryptographic framework for schemes which achievededup over ciphertexts
![Page 25: Message-Locked Encryption and Secure Deduplicationcseweb.ucsd.edu/~skeelvee/talks/mle.pdfMessage-Locked Encryption π π Message-derived key 8 Key used for encryption is derived](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f857a0e5907f45321171359/html5/thumbnails/25.jpg)
Thank you!
25
Sriram [email protected]
Full version: eprint.iacr.org/2012/631
Follow up
β’ Encryption for Deduplicated Storage with DupLESSβ’ USENIX Security 2013
β’ Message-Locked Encryption for lock-dependent messagesβ’ Abadi, Boneh, Mironov, Raghunathan and Segev in CRYPTO 2013
β’ Several interesting open problems