LITERATURE SURVEY

Authors: M. Bellare, S. Keelveedhi, and T. Ristenpart

Title: Dupless: Serveraided encryption for deduplicated storage.
Cloud storage service providers such as Dropbox, Mozy, and others perform deduplication to
save space by only storing one copy of each file uploaded. Should clients conventionally encrypt
their files, hoIn thever, savings are lost. Message-locked encryption (the most prominent
manifestation of which is convergent encryption) resolves this tension. HoIn thever it is
inherently subject to brute-force attacks that can recover files falling into a known set. In the
recommend an

architecture that provides secure deduplicated storage resisting brute-force

attacks, and realize it in a system called DupLESS. In DupLESS, clients encrypt under messagebased keys obtained
from a key-server via an oblivious PRF protocol. It enables clients to store encrypted data with
an existing service, have the service perform deduplication on their behalf, and yet achieves
strong confidentiality guarantees. In the show that encryption for deduplicated storage can
achieve performance and space savings close to that of using the storage service with plaintext
data. In the studied the problem of providing secure outsourced storage that both supports
deduplication and resists brute-force attacks. In the design a system, DupLESS, that combines a
CE-type baseMLE scheme with the ability to obtain message-derived keys with the help of a key
server (KS) shared amongst a group of clients. The clients interact with the KS by a protocol for
oblivious PRFs, ensuring that the KS can cryptographically mix in secret material to the permessage keys while learning nothing about files stored by clients. These mechanisms ensure that
Dup LESS provides
strong security against external attacks which compromise the SS and communication channels
(nothing is leaked beyond file lengths, equality, and access patterns),and that the security of
DupLESS gracefully degrades in the face of comprised systems. Should a client be
compromised, learning the plaintext underlying another clients ciphertext requires mounting an
online bruteforce attacks (which can be sloIn thed by a rate-limited KS). Should the KS be
compromised, the attacker must still attempt an offline brute-force attack, matching the
guarantees of traditional MLE schemes. The substantial increase in security comes at a modest
price in terms of performance, and a small increase in storage requirements relative to the base

system. The low performance overhead results in part from optimizing the client-to-KS OPRF
protocol, and also from ensuring DupLESS uses a low number of interactions with the SS. In the
show that DupLESS is easy to deploy: it can work transparently on top of any SS implementing
a simple storage interface, as shown by our prototype for Dropbox and Google Drive.

Author: M. Bellare, S. Keelveedhi, and T. Ristenpart.

Title: Message-locked encryption and secure deduplication.
In the formalize a new cryptographic primitive, Message-Locked Encryption (MLE), where the
key under which encryption and decryption are performed is itself derived from the message.
MLE provides a way to achieve secure deduplication, a goal currently targeted by numerous
cloud-storage providers. In the provide dentitions both for privacy and for a form of integrity that
In the call tag consistency. Based on this foundation, In the make both practical and theoretical
contributions. On the practical side, In the provide ROM security analyses of a natural family of
MLE schemes that includes deployed schemes. On the theoretical side the challenge is standard
model solutions, and In the make connections with deterministic encryption, hash functions
secure on correlated inputs and the sample-then-extract paradigm to deliver schemes under di
erent assumptions and for dierent classes of message sources. Our work shows that MLE is a
primitive of both practical and theoretical interest. Recall that In the have introduced an in
distinguish ability-from-random notion (PRV$-CDA) for MLE and shoIn thed that it implied its
adaptive counterpart. This is of broader interest for the parent settings of deterministic and
hedged encryption. Here achieving adaptive security has been challenging. In the suggest that
progress can be made by de_ning and then targeting in distinguish ability-from-random style
de_nitions. Mironov, Pandey, Reingold and Segev suggest deduplication as a potential
application of their incremental deterministic public-key encryption scheme. But this will only
work with a single client. It won't allow deduplication across clients, since they would all have to
share the secret key. Recent work shoIn thed that client-side deduplication gives rise to sidechannel attacks because users are told if another user already uploaded ale. MLE is compatible
with either client- or serverside deduplication (the latter prevents such side-channels). In the note
that one of our new schemes, RCE, gives rise to such a side-channel. MLE targets a di_erent

class of threats than proofs of ownership, which In there recommend for deduplication systems
in order to mitigate abuse of services for surreptitious content distribution.
Authors: M. Bellare, C. Namprempre, and G. Neven.
Title: Security proofs for identity-based identification and signature schemes.
This paper provides either security proofs or attacks for a large number of identity-based
identification and signature schemes defined either explicitly or implicitly in existing literature.
Underlying these are a framework that on the one hand helps explain how these schemes are
derived, and on the other hand enables modular security analyses, thereby helping to understand,
simplify and unify previous work. Late eighties and early nineties saw the proposal of many
identity-based identification (IBI) and identity-based signature (IBS) schemes. These include the
Fiat-Shamir IBI and IBS schemes, the Guillou-Quisquater IBI and IBS schemes, the IBS scheme
in Shamirs paper introducing identity based cryptography, and others . Now, new, pairing-based
IBS schemes are being recommend .Prompted by the reneIn thed interest in identity-based
cryptography that has folloIn thed identity-based encryption (IBE), In the decided to revisit the
IBI and IBS areas. An examination of past work revealed the following. Although there is a lot of
work on proving security in the identification domain, it pertains to standard rather than identitybased schemes. (For example, security proofs have been provided for standard identification
schemes related to the Fiat-Shamir and Guillou Quisquater IBI schemes , but not for the IBI
schemes themselves.) In fact, a provable-security treatment of IBI schemes is entirely lacking:
there are no security definitions, and none of the existing schemes is proven secure. Given the
practical importance and usage of IBI schemes, this is an important (and somewhat surprising)
gap.