Mitigating Side Channels in Deduplicating Cloud Storage

Abstract: 
Outsourced storage is by now strikingly prevalent for individuals and enterprises. Cloud storage providers (CSPs) use deduplication for saving bandwidth and storage which helped them to reduce the costs tremendously. Deduplication is the process by which CSPs only store one copy of each file, irrespective of how many times that file is uploaded. Client-side deduplication, where the client only uploads the file upon the request of the server, provides significant storage and bandwidth savings but introduces some security concerns. An adversary can exploit side-channel information in several attack scenarios when deduplication takes place at the client side, leaking information on whether a specific plaintext exists in the cloud storage. In this talk, we elaborate on these attack scenarios on deduplicating cloud storage systems and discuss some possible countermeasures, specifically the method of probabilistic uploads. We introduce formal definitions for deduplication strategies and their security in terms of adversarial advantage. Using these definitions, we provide a criterion for designing good strategies and then prove a bound characterizing the necessary trade-off between security and efficiency. Generalizing existing security definitions, we introduce formal security games for some possible adversaries in this domain and show that games representing all natural adversarial behaviors are in fact equivalent. These results allow users and practitioners alike to accurately assess the vulnerability of deployed systems to this real-world concern and identify the steps required to mitigate the security risks. 
 
Biography
Mohsen Toorani is a postdoctoral research fellow at the Department of Informatics at the University of Bergen. He received his Ph.D. from the University of Bergen in 2015. Since 2016, he has been working on a collaborative project with the Norwegian University of Science and Technology on Cryptographic Tools for Cloud Security. His research interests include cryptographic protocols and primitives and security of distributed systems. He has served as the editorial board member, TPC member, and reviewer for several journals and conferences and is a member of the IACR, IEEE, and ACM.