Message-Locked Encryption and Secure Deduplication

Transcription

1 Message-Locked Encryption and Secure Deduplication Eurocrypt 2013 Mihir Bellare 1 Sriram Keelveedhi 1 Thomas Ristenpart 2 1 University of California, San Diego 2 University of Wisconsin-Madison 1

2 Deduplication Avoid storing multiple copies of the same data Alice Outsourced storage service Bob f Server f Google Drive Storef fiff iff new Storage size after n uploads No deduplication O(n f ) Deduplication O( f ) Storage savings [MB11] Backup systems 87% Corporate networks 50% 2

3 Dedup doesn t work with client-side encryption Alice E = (K, E, D): Symmetric encryption scheme Bob Server k A c A c A E(k A, f) c B E(k B, f) c B c A k B Storef ciff iff new Bob cannot decrypt c A with k B Pr c B = c A is negligible Security of symmetric encryption Server has to store both c B and c A Possible fix: Attach file hash H(f) to ciphertext? Cross-user decryption not possible, Bob still cannot decrypt c { A Det. PKE [BBO07, MPRS12] Rules out Searchable SE [SWP00] Searchable PKE [BBO07] 3

4 Convergent encryption Recipe 1. H: 0,1 0,1 k : Hash function 2. E = (K, E, D): Encryption scheme with k-bit keys Internet forums, [DABST02] m H k E c Alice Bob k A c A Server c A E(H(f), f) c B E H f, f = c A Storef ciff iff new c B c A k B Bob can decrypt c A with k = H(f)

5 CE has found wide use Cloud storage Filesystems Farsite [ABCG*02] GNUNet Backup [CMN02] [KCP06] [CTP04] Others [AZ10] [RCTLL11] [SGLM08] [BBST01] [MC11] despite unclear security guarantees 5

6 Convergent Encryption CE seems to be widely used, but What kind of security can schemes like CE provide? Are the deployed schemes/variants secure? We don t know! No cryptographic treatment for deduplication over encrypted data Syntax of such schemes? How to support Equality checking/deduplication? Cross-user decryption? Best possible security? Our work answers these questions 6

7 Our work 1. Message-Locked Encryption Syntax and correctness Security goals and notions 2. Practical contributions Attacks and proofs for CE and variants New, faster schemes A cryptographic framework for schemes which achieve dedup over ciphertexts 3. Theoretical contributions Standard model MLE schemes from correlated-input hashes and deterministic-pke Relating MLE and other cryptographic primitives 7

8 Message-Locked Encryption MLE Scheme M = (P, K, E, D, T) P, E, K randomized D, T deterministic Key used for encryption is derived from the message itself Message-derived key K k m E c D m P p Public parameter T t Tag 8

9 Convergent encryption as an MLE scheme Recipe 1. H: 0,1 0,1 k : Hash function 2. E = (K, E, D): Encryption scheme with k-bit keys CE = (P, K 2, E 2, D 2, T) We will revisit CE to talk about security H k m E c D m P p Random 128-bit string H t 9

10 Secure outsourced storage using MLE Recipe 1. MLE Scheme M = P, E, K, D, T 2. SE Scheme S = (K 2, E 2, D 2 ) Store (f) Alice k A f K f c A E k A f, f c A A E 2 k A, k f c A, c A 1. f D k f B, c A 2. T c A = T c B 3. k f A = k f B f Upload(c B, c B ) If T c A T c B Store c B Store c B Server c A c, A c, A c, A c B Requirements Bob recovers f Deduplication c B, c B c A, c B Storage = f + α Store (f) Bob k f B K f c E k f B, f c B E 2 k B, k f B Retreive (k B, c A, c B ) k B f D 2 k B, c B f D k B f, c A

11 MLE Correctness MLE Scheme M = (P, E, K, D, T) 1. Decryption correctness Any key k derived from m can decrypt any m-ciphertext c D k, c = m valid messages m, k K m, c E k, m 2. Tag correctness All m ciphertexts c produce the same tag t T c 1 = T(c 2 ) m, k 1, k 2 K m, c 1 E k 1, m, c 2 E k 2, m 3. Non-triviality All keys k are of the same, fixed length K m = κ m, k K m m K k E c D m A x 1, : Set of all outputs of A on x 1, T t 11

12 Security, informally MLE Scheme M = (P, E, K, D, T) m K k E c T t 1. Privacy Chosen Distribution vs. Random (CDR) If m has high min-entropy, c indistinguishable from random 2. Consistent tags Tag Consistency (TC) Hard to find c that does not decrypt to m but has same tag as m 12

13 Can we get IND-CPA style privacy for MLE? No! MLE Scheme M = (P, E, K, D, T) Message recovery security: MR S,M Consider a set S = {m 1, m 2,, m n } Given c E K m i, m i where i {1,2,, n} A generic brute-force attack: Find m i Weaker than IND-CPA BruteForce S (c) For m i S do m D K m i, c If m i = m then return m i Attack runtime = c n Has to be super-polynomial Privacy not possible for predictable messages

14 Privacy: The CDR notion No efficient adversary can distinguish encryptions of unpredictable messages from random strings CDR(A, D) Init Fin p P(); b 0,1 ; (m 1,, m n ) D() For i = 1 to n k i K m i ; c 1 i E k i, m i ; c 0 i {0,1} c i 1 Return (b = b) Adv A, D = 2 Pr CDR(D, A) true 1 MLE Scheme M = (P, E, K, D, T) p, c 1 b,, c n b D is unpredictable if δ negl s.t. Pr[m {m 1,, m n } m 1,, m n D()] δ m Security: No efficient A has non-negligible advantage for any unpredictable D Comparing with notions that need unpredictability (Discussion in paper) Notion Primitive Style SQ MQ IND[BFOR08] D-PKE Left-Right indist. No CDA[BBNRSSY09] PKE Left-Right indist. No CDR [BKR13] MLE Real-random indist. Yes b SQ : Single-query, MQ : Multi-query A 14

15 Deduplicability vs. Privacy Deduplication Privacy Only when messages repeat Only when messages unpredictable A possible contradiction? NO! Data unpredictable to attacker, not to legitimate clients Server Attacker Large random file f Shared among group of clients Unknown to attacker Inherent to secure deduplication CDR provides best possible security Security for predictable messages Encryption for Deduplicated Storage with DupLESS USENIX Security 2013 f Ciphertext Shared file Bellare, Keelveedhi, Ristenpart 15

16 Duplicate faking attacks Alice f Server c c c Noted in [SGL08] Evil dude f c E K(f), f Get c that not decrypt to f s.t. T c = T c Store c if T(c) is new 1. Attacker stores c 2. Alice tries to store c, server already has a matching ciphertext c 3. When Alice downloads c it decrypts to f f Note: No unpredictability requirement 16

17 Tag Consistency No efficient adversary can find two ciphertexts with matching tags that decrypt to different messages TC A Init MLE Scheme M = (P, E, K, D, T) p P() p A Finalize k K m ; m D(k, c ) t T E(k, m) ; t T C If t t then return false If m = m then return false If m = then return false Return true m, c Adv TC A = Pr TC(A) true Security: No efficient A has non-negligible TC advantage. In the paper: A stronger tag consistency notion STC 17

18 Our work 1. Message-Locked Encryption Syntax and correctness Security goals and notions 2. Practical contributions Attacks and proofs for CE and variants New, faster schemes 3. Theoretical contributions Standard model MLE schemes from correlated-input hashes and deterministic-pke Relating MLE and other cryptographic primitives 18

19 Convergent Encryption CE = (P, K 2, E 2, D 2, T) Encryption in CE m Recipe 1. H: 0,1 0,1 k : Hash function 2. E = (K, E, D): Encryption scheme with k-bit keys p H k E c H t Thm: CE is CDR secure in the RO model if E is Real-or-Random secure and Key-Recovery secure. Thm: CE is TC secure in the standard model if H is a CR hash. In the paper Security of other variants of CE, fixes for tag consistency vulnerabilities 19

20 Randomized CE One pass, randomized MLE scheme Recipe 1. H 1, H 2, H 3 : 0,1 0,1 k : Hash functions 2. E = (K, E, D): Encryption scheme with k-bit keys Key generation and encryption KE 2 (p, m; l) l m E c 1 p 1 H 1 k H2 c 2 p 2 H 3 Thm: RCE is CDR secure in the RO model if E is Real-or-Random secure and Key-Recovery secure. Thm: RCE is TC secure in the RO model. t 20 In the paper: Comparison of performance of CE schemes. RCE is fastest.

21 Our work 1. Message-Locked Encryption Syntax and correctness Security goals and notions 2. Practical contributions Attacks and proofs for CE and variants New, faster schemes 3. Theoretical contributions Standard model MLE schemes from correlated-input hashes and deterministic-pke Relating MLE and other cryptographic primitives 21

22 extract Hash and Check Recipe 1. H: 0,1 0,1 k : Hash function 2. X: 0,1 k 0,1 0,1 k : Extractor XHC[H, X] = (P, K, E, D, T) Correlated-input hashes [GOR11] If inputs are unpredictable, hashes are pseudorandom Encryption in XHC m m 1,, m i,, m n p 2 p 1 X k k i m i H Decryption in XHC m For i = 1 to n If k i 0 = c i then m i = 1 Else m i = 0 Return m 1 m 2 m n c 1,, c i,, c n Thm: XHC[H, X] is CDR secure if H is a correlated input hash and X is a strong randomness extractor. Thm: XHC[H, X] is TC secure. 22

23 Standard model schemes and relations MLE XHC Correlated-input hashes [GOR11] Deterministic PKE [BBO07] Caveat: Don t know how to build these in standard model with best possible security In the paper: SXE:Sample-Extract-Encrypt MLE from extractors and symmetric encryption Secure only for independent message-distributions Hard to build [Wi13] 23

24 Recap 1. Message-Locked Encryption Syntax and correctness Security goals and notions 2. Practical contributions Attacks and proofs for CE and variants New, faster schemes A cryptographic framework for schemes which achieve dedup over ciphertexts 3. Theoretical contributions Standard model MLE schemes from correlated-input hashes and deterministic-pke Relating MLE and other cryptographic primitives 24

25 Follow up Encryption for Deduplicated Storage with DupLESS USENIX Security 2013 Message-Locked Encryption for lock-dependent messages Abadi, Boneh, Mironov, Raghunathan and Segev in CRYPTO 2013 Several interesting open problems Thank you! Sriram Keelveedhi Full version: eprint.iacr.org/2012/631 25