Message-Locked Encryption and Secure Deduplication.

Topics: Cryptography, Key, Encryption Pages: 50 (18838 words) Published: September 12, 2013
A preliminary version of this paper appears in the proceedings of Eurocrypt 2013. This is the full version.

Message-Locked Encryption and Secure Deduplication
Mihir Bellare1 Sriram Keelveedhi2 Thomas Ristenpart3

March 2013

Abstract We formalize a new cryptographic primitive, Message-Locked Encryption (MLE), where the key under which encryption and decryption are performed is itself derived from the message. MLE provides a way to achieve secure deduplication (space-efficient secure outsourced storage), a goal currently targeted by numerous cloud-storage providers. We provide definitions both for privacy and for a form of integrity that we call tag consistency. Based on this foundation, we make both practical and theoretical contributions. On the practical side, we provide ROM security analyses of a natural family of MLE schemes that includes deployed schemes. On the theoretical side the challenge is standard model solutions, and we make connections with deterministic encryption, hash functions secure on correlated inputs and the sample-then-extract paradigm to deliver schemes under different assumptions and for different classes of message sources. Our work shows that MLE is a primitive of both practical and theoretical interest.

Department of Computer Science & Engineering, University of California San Diego, 9500 Gilman Drive, La Jolla, California 92093, USA. Email: mihir@eng.ucsd.edu. URL: http://cseweb.ucsd.edu/~mihir/. Supported in part by NSF grants CNS-0904380, CCF-0915675 and CNS-1116800. 2 Department of Computer Science & Engineering, University of California San Diego, 9500 Gilman Drive, La Jolla, California 92093, USA. Email: sriramkr@cs.ucsd.edu. URL: http://cseweb.ucsd.edu/~skeelvee/. Supported in part by Bellare’s grants. 3 Department of Computer Sciences, University of Wisconsin–Madison, 1210 West Dayton Street, Madison, Wisconsin 53715, USA. Email: rist@cs.wisc.edu. URL: http://pages.cs.wisc.edu/~rist/. Supported in part by NSF grant CNS-1065134 and generous gifts from RSA Labs and Microsoft.

1

1

Contents
1 Introduction 1.1 Background . . . . . . . . . . 1.2 Definitions and Relations . . 1.3 Practical Contributions . . . 1.4 Theoretical Contributions . . 1.5 Further Remarks and Related 2 Preliminaries 3 Message-Locked Encryption 4 Practical Contributions: The Security of Fast MLE Schemes 5 Theoretical Contributions: Constructions without ROs 5.1 Extract-Hash-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Sample-Extract-Encrypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A Relations Between MLE Privacy Notions B Proof of PRV$-CDA for CE, HCE1, HCE2, RCE C Instantiations and Performance of CE, HCE2, and RCE D Proof of Theorem 5.1 E Proof of Theorem 5.2 . . . . . . . . . . . . . . . . Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3 4 5 5 7 7 8 11 13 13 15 19 22 25 26 28

2

1

Introduction

We introduce an intriguing new primitive that we call Message-Locked Encryption (MLE). An MLE scheme is a symmetric encryption scheme in which the key used for encryption and decryption is itself derived from the message. Instances of this primitive are seeing widespread deployment and application for the purpose of secure deduplication [1, 2, 4, 5, 7, 8, 10, 22, 23, 35, 37, 41, 45, 49], but in the absence of a theoretical treatment, we have no precise indication of what these methods do or do not accomplish. We provide definitions of privacy and integrity peculiar to this domain. Now having created a clear, strong target for designs, we make contributions that may broadly be divided into two parts: (1) practical and (2) theoretical. In the first category we analyze existing...
Continue Reading

Please join StudyMode to read the full document

You May Also Find These Documents Helpful

  • Encryption Essay
  • Essay about Role of Multiple Encryption in Secure Electronic Transaction
  • Essay about An Encryption and Decryption Algorithm for Messages Transmitted by Phonetic Alphabets
  • Image Encryption Essay
  • Secure Essay
  • Data Encryption Essay
  • Data Encryption Essay
  • Speck Encryption Essay

Become a StudyMode Member

Sign Up - It's Free