Titanium: A Metadata-Hiding File-Sharing System with Malicious Security.

End-to-end encrypted file-sharing systems enable users to share files without revealing the file contents to the storage servers. However, the servers still learn metadata, including user identities and access patterns. Prior work tried to remove such leakage but relied on strong assumptions. Metal (NDSS ’20) is not secure against malicious servers. MCORAM (ASIACRYPT ’20) provides confidentiality against malicious servers, but not integrity. Titanium is a metadata-hiding file-sharing system that offers confidentiality and integrity against malicious users and servers. Compared with MCORAM, which offers confidentiality against malicious servers, Titanium also offers integrity. Experiments show that Titanium is 5× to 200× faster or more than MCORAM. I . I N T R O D U C T I O N Many companies offer cloud storage with end-to-end encryption, such as BoxCryptor [1], Icedrive [2], Keybase Filesystem [3], MEGA [4], pCloud [5], PreVeil [6], Sync [7], and Tresorit [8]. The enthusiasm in end-to-end encryption stems from the public’s concerns about how personal data is misused [9] and how hackers have stolen databases of large enterprises [10]. However, end-to-end encryption is not the end, because cloud servers still see metadata. Metadata such as whom the user shares files with is similar to communication privacy—the Stanford MetaPhone study [11] found that phone call metadata is “densely interconnected, susceptible to re-identification, and enables highly sensitive inferences”. A former NSA General Counsel said, “Metadata absolutely tells you everything about somebody’s life” [12]. Extracting secrets from access patterns has been an important area of security research, with much success. There are works that deanonymize users using social connections [13–21], compromise encrypted databases with access patterns [22–28], and break secure hardware with memory access patterns [29, 30]. These attacks might also be applied to end-to-end encrypted file-sharing systems. To understand the impact of metadata leakage, consider an application (Fig. 1) and how it would benefit from metadata protection. A whistleblower, Alice, wants to report a company’s scandal to a journalist. If they communicate via the end-to-end encrypted storage, the servers know that Alice shares files with a journalist and when the files are accessed. If the servers collude with the company, the company may find out the whistleblower. End-to-end encrypted storage Metadata-hiding file-sharing systems Alice and Journalist have accounts Users remain anonymous Alice and Journalist share file F • Alice has write permission • Journalist has read permission F’s access control list is unknown Alice wrote to F on May 26 Journalist read F on May 27 Someone accessed some file on May 26 Someone accessed some file on May 27 On May 28, the scandal was reported Fig. 1: Comparison of security guarantees between end-to-end encrypted storage and metadata-hiding file-sharing systems. Moreover, a hacker or a malicious employee of the cloud may already know the whistleblower’s identity. Alice and the journalist need a storage system that hides metadata from the servers. This system must have anonymity, so the server does not learn whom it is talking to. It must hide access patterns, so the server cannot infer the user behaviors. Does such a metadata-hiding file-sharing system exist? In the last decade, researchers have been trying to design practical metadata-hiding storage [31–35]. This is challenging because there is almost nothing to trust: both users and servers can be malicious. We need malicious security.1 A. The need for malicious security The first step toward malicious security is to handle malicious users. For anonymity, there must be many users, and we cannot assume that none of them are malicious. Over the years, security against malicious users has been achieved, as shown in Tab. I. In contrast, there is no solution to guarantee security against malicious servers. Several constructions [31–33, 35] all assume semi-honest servers. A recent work [34] is the closest to this goal, but it does not offer integrity against malicious servers. Malicious security should be the standard for distributed applications, rather than semi-honest security. This is because malicious attacks can even look indistinguishable from honest executions, so the attackers will never be caught for behaving maliciously. The possibility of undetectable malicious attacks is concerning to users who need metadata privacy to protect themselves, such as Alice and the journalist. In §II, we present several malicious attacks on semi-honest constructions. Though these attacks fall beyond the scope of 1Malicious security ensures security against adversaries who can behave arbitrarily to compromise privacy and integrity of the system. This is in contrast to semi-honest security, where adversaries will follow the protocol faithfully. Network and Distributed Systems Security (NDSS) Symposium 2022 27 February 3 March 2022, San Diego, CA, USA ISBN 1-891562-74-6 https://dx.doi.org/10.14722/ndss.2022.24161 www.ndss-symposium.org TABLE I: Comparison of cryptographic metadata-hiding file storage systems. Scheme Security Functionality Server overhead Anonymity Malicious Malicious Tolerate t out of N MultiFile Computation Server-server users servers corrupted servers owner sharing communication