Venue | Category |
---|---|
EuroCrypto'13 | Secure Deduplication |
Message-Locked Encryption and Secure Deduplication1. SummaryMotivation of this paperMLE definitionsImplementation and Evaluation2. Strength (Contributions of the paper)3. Weakness (Limitations of the paper)4. Some Insights (Future work)
The formulation of MLE
There is an absence of a theoretical treatment for MLE in secure deduplication deployment.
General MLE syntax
For convergent encryption:
Privacy:
No MLE scheme can achieve semantic-security-style privacy
if the target message is drawn from a space of
Tag consistency: (how to against the duplicate faking attacks)
TC: an adversary cannot make an honest client recover an incorrect message, meaning one different from the one it uploaded. (cannot protect the message integrity)
STC: an adversary cannot erase an honest client's message.
STC is strictly stronger than TC.
If an MLE scheme is deterministic, letting the tag equal the ciphertext will result in a scheme that is STC secure.
Discussion: for upload operation
Fast MLE schemes
CE: convergent encryption
HCE1 (Hash-and-CE 1, in TahoeFS)
HCE2
RCE
Performance of each MLE scheme
different trade-offs between assumptions made and the message distributions for which security is proven.
CE, HCE1, HCE2. RCE
: , , : , ,
The can offer better performance for the server who can simply read the tag as the second part of the ciphertext rather than needing to compute it by hashing the possibly long ciphertext.
vulnerable to duplicate faking attacks