Paper 2022/553

Secure Storage with Deduplication

John Best, Wayne Hineman, Steven Hetzler, Guerney Hunt, and Charanjit S. Jutla


We describe a new secure storage scheme that facilitates deduplication. The scheme is also proved secure in the universal-composability model. It is a single server scheme, and the basic scheme does not prevent against off-line dictionary attacks if the server is compromised. However, if a global secret key is shared amongst users of the organization, and this key is never stored at the server, we also get protection against off-line dictionary attacks even if the server is compromised. The UC security model for deduplication is based on an earlier work of Liu, Asokan and Pinkas, Proc. CCS 2015. The scheme obtains additional optimization by employing the XTS-AES mode of encryption in the public random permutation model. Another upshot of the analysis is that one can first MAC and then encrypt using XTS mode and attain authenticated encryption, avoiding the pitfalls cautioned against by Hugo Krawczyk, in the work ``How Secure is SSL?'', CRYPTO 2001.

Available format(s)
Secret-key cryptography
Publication info
IAPMXTSauthenticated encryptionUC securitydeduplication
Contact author(s)
csjutla @ us ibm com
2022-05-10: received
Short URL
Creative Commons Attribution


      author = {John Best and Wayne Hineman and Steven Hetzler and Guerney Hunt and Charanjit S.  Jutla},
      title = {Secure Storage with Deduplication},
      howpublished = {Cryptology ePrint Archive, Paper 2022/553},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.