This scheme is intended to be used in a scenario where multiple users are using a storage system to store data.
Cloud services introduce new security threats with respect to the confidentiality of the outsourced data. While the cloud providers are motivated to provide data confidentiality for their data storage services given the increasing security assurance demands from the cloud customers, they will also lose the advantage of optimizing their storage costs by de-duplicating the data once traditional encryption is applied to the data.
TREDISEC aims to provide strong data confidentiality guarantees while benefiting from the various advantages of data deduplication in the cloud. On the one hand, we aim to devise novel schemes which ensure data confidentiality despite a powerful adversary that has access to the user's secret material: such schemes are defined as key-exposure resistant schemes. We also plan to propose techniques which support deduplication of data encrypted by different mistrusting principals (tenants, users).
Files are encrypted on the client side before being uploaded to the cloud, and will be decrypted on the client side after being downloaded to local. The encryption key is kept by the clients. The encryption keys are acquired by the clients from some remote entity, in a privacy-preserving way that the remote entity is not able to infer or distinguish the file content from the requests from all clients, but this remote entity will ensure that the same file content will derive the same encryption key. Thanks to this feature, files across multiple clients can be de-duplicated.
The encryption primitive encrypts and partitions the file, in a way that the file can be decrypted only when all the partitions of the encrypted data as well as the decryption key are available.
If data is deployed on a server in an untrusted environment (e.g. the cloud), the data owner might be afraid of honest-but-curious database administrators or other personnel or external attackers who have access to the server. Our processing mechanism uses adjustable query-based encryption: The data is encrypted in so called onion encryption layers where the weakest encryption schemes are the innermost layers, which are then encrypted with other encryption schemes.
Offers deduplication over encrypted files. It allows different users to upload client-side encrypted files to the cloud, while deduplication technique can still be applied to those encrypted files.