Secure Encrypted Data Deduplication for Cloud Storage against Compromised Key Servers

Abstract

Message-locked encryption (MLE) is a special type of symmetric encryption enabling deduplication over ciphertexts. Since an MLE key is extracted from the message itself, it is vulnerable to brute-force attacks. Existing schemes employ an independent key server to help in generating MLE keys, where the MLE key is extracted from the message and a server-side secret to thwart brute-force attacks. Whereas, the security of these schemes depends on the reliability of the key server, which causes the single-point-of- failure problem. In this paper, we propose DECKS, an encrypted data \underline{de}duplication scheme against the \underline{c}ompromised \underline{k}ey \underline{s}erver. DECKS employs multiple key servers to assist users in generating MLE keys using an oblivious and threshold-based protocol, such that compromising any key server would not break the security. To free DECKS from trusting a specific group of key servers during the lifetime of protected data, the key servers are periodically replaced by new ones to renew the security protection. Provable security and high efficiency of DECKS are demonstrated by comprehensive analyses and experimental evaluations.