Leakage-Resilient Client-side Deduplication of Encrypted Data in Cloud Storage

Cloud storage service is gaining popularity in recent years. Clientside deduplication is an effective approach to save bandwidth and storage, and adopted by many cloud storage services including Dropbox, MozyHome and Wuala. Security flaws, which may lead to private data leakage, in the existing client-side deduplication mechanism are found recently by Harnik et al. (S&P Magazine, ’10) and Halevi et al. (CCS ’11). Halevi et al. identified an important security issue in client-side deduplication which leads to leakage of private users’ files to outside attackers, and addressed this issue by constructing schemes which they called proofs of ownership (PoW). In a proof of ownership scheme, any owner of the same file F can prove to the cloud storage that he/she owns file F in a robust and efficient way, even if a certain amount of arbitrary information about file F is leaked. In this paper, we make two main contributions: • We construct a hash function Hk : {0, 1} → {0, 1} with time complexity in O(M + L) and memory complexity in O(1), which is non-linear and provably pairwise-independent in the random oracle model. We apply the constructed hash function to obtain a proof of ownership scheme, which is provably secure w.r.t. any distribution of input file with sufficient min-entropy, in the random oracle model. In contrast, the PoW scheme (the last and the most practical construction) in Halevi et al. is provably secure w.r.t. only a particular type of distribution (they call it a generalization of “block-fixing” distribution) of input file with sufficient min-entropy, in the random oracle model. The constructed hash function may have independent interest. • We propose the first (to the best of our knowledge) solution to support cross-user client-side deduplication over encrypted data in the leakage-resilient model, where a certain amount of arbitrary information about users’ files are leaked. Particularly, we address another important security issue in client-side deduplication— confidentiality of users’ sensitive files against the honest-but-curious cloud storage server, by proposing a method to distribute a randomly chosen per-file encryption key ∗ This work is supported by Fund SecDC-112172014. [Copyright notice will appear here once ’preprint’ option is removed.] to all owners of the same file, in an efficient and secure way. This key distribution method will be seamlessly incorporated into the process of client-side deduplication. We emphasize that “convergent encryption”, which encrypts a file F using hash value hash(F ) as encryption key, is not leakage-resilient and is thus insecure in the setting of PoW. Therefore, the direct combination of a PoW scheme and convergent encryption is not a solution for client-side deduplication over encrypted data. General Terms Algorithm, Security