Message-Locked Encryption and Secure Deduplication
Mihir Bellare1 Sriram Keelveedhi2 Thomas Ristenpart3
March 2013
Abstract We formalize a new cryptographic primitive, Message-Locked Encryption (MLE), where the key under which encryption and decryption are performed is itself derived from the message. MLE provides a way to achieve secure deduplication (space-efficient secure outsourced storage), a goal currently targeted by numerous cloud-storage providers. We provide definitions both for privacy and for a form of integrity that we call tag consistency. Based on this foundation, we make both practical and theoretical contributions. On the practical side, we provide ROM security analyses of a natural family of MLE schemes that includes deployed schemes. On the theoretical side the challenge is standard model solutions, and we make connections with deterministic encryption, hash functions secure on correlated inputs and the sample-then-extract paradigm to deliver schemes under different assumptions and for different classes of message sources. Our work shows that MLE is a primitive of both practical and theoretical interest.
Department of Computer Science & Engineering, University of California San Diego, 9500 Gilman Drive, La Jolla, California 92093, USA. Email: mihir@eng.ucsd.edu. URL: http://cseweb.ucsd.edu/~mihir/. Supported in part by NSF grants CNS-0904380, CCF-0915675 and CNS-1116800. 2 Department of Computer Science & Engineering, University of California San Diego, 9500 Gilman Drive, La Jolla, California 92093, USA. Email: sriramkr@cs.ucsd.edu. URL: http://cseweb.ucsd.edu/~skeelvee/. Supported in part by Bellare’s grants. 3 Department of Computer Sciences, University of Wisconsin–Madison, 1210 West Dayton Street, Madison, Wisconsin 53715, USA. Email: rist@cs.wisc.edu. URL: http://pages.cs.wisc.edu/~rist/. Supported in part by NSF grant