Revisiting Shared Data Protection Against Key Exposure

This paper puts a new light on secure data storage inside distributed systems. Specifically, it revisits computational secret sharing in a situation where the encryption key is exposed to an attacker. It comes with several contributions: First, it defines a security model for encryption schemes, where we ask for additional resilience against exposure of the encryption key. Precisely we ask for (1) indistinguishability of plaintexts under full ciphertext knowledge, (2) indistinguishability for an adversary who learns: the encryption key, plus all but one share of the ciphertext. (2) relaxes the "all-or-nothing" property to a more realistic setting, where the ciphertext is transformed into a number of shares, such that the adversary can't access one of them. (1) asks that, unless the user's key is disclosed, noone else than the user can retrieve information about the plaintext. Second, it introduces a new computationally secure encryption-then-sharing scheme, that protects the data in the previously defined attacker model. It consists in data encryption followed by a linear transformation of the ciphertext, then its fragmentation into shares, along with secret sharing of the randomness used for encryption. The computational overhead in addition to data encryption is reduced by half with respect to state of the art. Third, it provides for the first time cryptographic proofs in this context of key exposure. It emphasizes that the security of our scheme relies only on a simple cryptanalysis resilience assumption for blockciphers in public key mode: indistinguishability from random, of the sequence of diferentials of a random value. Fourth, it provides an alternative scheme relying on the more theoretical random permutation model. It consists in encrypting with sponge functions in duplex mode then, as before, secret-sharing the randomness

AONT-LT: a Data Protection Scheme for Cloud and Cooperative Storage Systems

We propose a variant of the well-known AONT-RS scheme for dispersed storage systems. The novelty consists in replacing the Reed-Solomon code with rateless Luby transform codes. The resulting system, named AONT-LT, is able to improve the performance by dispersing the data over an arbitrarily large number of storage nodes while ensuring limited complexity. The proposed solution is particularly suitable in the case of cooperative storage systems. It is shown that while the AONT-RS scheme requires the adoption of fragmentation for achieving widespread distribution, thus penalizing the performance, the new AONT-LT scheme can exploit variable length codes which allow to achieve very good performance and scalability.Comment: 6 pages, 8 figures, to be presented at the 2014 High Performance Computing & Simulation Conference (HPCS 2014) - Workshop on Security, Privacy and Performance in Cloud Computin

All or Nothing at All

We continue a study of unconditionally secure all-or-nothing transforms (AONT) begun in \cite{St}. An AONT is a bijective mapping that constructs s outputs from s inputs. We consider the security of t inputs, when s-t outputs are known. Previous work concerned the case t=1; here we consider the problem for general t, focussing on the case t=2. We investigate constructions of binary matrices for which the desired properties hold with the maximum probability. Upper bounds on these probabilities are obtained via a quadratic programming approach, while lower bounds can be obtained from combinatorial constructions based on symmetric BIBDs and cyclotomy. We also report some results on exhaustive searches and random constructions for small values of s.Comment: 23 page