PE-AONT: Partial Encryption combined with an All-or-Nothing Transform

11/22/2018 ∙ by Katarzyna Kapusta, et al. ∙ Télécom ParisTech 0

In this report, we introduce PE-AONT: a novel algorithm for fast and secure data fragmentation. Initial data are fragmented and only a selected subset of the fragments is encrypted. Further, fragments are transformed using a variation of an all-or-nothing transform that blends encrypted and non-encrypted fragments. By encrypting data only partially, we achieve better performance than relevant techniques including data encryption and straightforward fragmentation. Moreover, when the ratio between the number of encrypted and non-encrypted fragments is wisely chosen, data inside fragments are protected against exposure of the encryption key unless all fragments are gathered by an attacker.



There are no comments yet.


page 7

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Fragmenting and dispersing data over multiple independent storage sites reinforces its confidentiality, integrity, and availability [1]. During the past decades, multiple fragmentation methods were defined and used in various settings  [2]. These methods include but are not limited to information-theoretic secret sharing schemes [13], information dispersal algorithms [10], as well as schemes combining symmetric encryption with data fragmentation [8, 12].

In modern distributed systems, the most common fragmentation approach is to form final fragments from large chunks of encrypted data. Data are encrypted, fragmented in a straightforward manner and then dispersed over different servers or storage sites. To facilitate key management, encryption keys can also be fragmented using a secret sharing scheme and attached to data fragments. To ensure resilience, data replication or error-correction codes  [11] may be applied. This is a reliable way of proceeding, however it does not protect against powerful attacker able to recover encryption keys. Indeed, such attackers may obtain a portion of information by just decrypting fragments in their possession.

Protection against key exposure requires additional post-processing that will create dependencies between ciphertext blocks contained inside the fragments [7] or that will shred ciphertext blocks over the fragments [4]. Encrypted data are then protected against key exposure unless all the fragments are gathered. Such additional protection comes at a performance price, as it increases the required number of operations.

On another hand, partial encryption is usually used in lightweight cipher. In this paper, we introduce PE-AONT: a fragmentation algorithm that is not only faster than the most common fragmentation technique, but also (when wisely applied) protects encrypted data inside fragments against a situaion of key exposure. To achieve this, PE-AONT fragments initial data into fragments, but encrypts only of them. In a next step, it applies an all-or-nothing transform over the totality of the fragments that exclusive-ors ciphertext and plaintext blocks. PE-AONT is then combining AONT technique with partial encryption achieving speed and a good level of security. A secure dispersal of fragments ensures that data from a single fragment cannot be recovered unless all fragments are being gathered. Limiting data encryption allows to speed up the performance, while the all-or-nothing transform combined with fragmentation ensures good level of data protection. By adjusting the values of and , a user may balance between the desired performance and data protection level.

Outline In Section 2 we present state-of-the-art techniques for fast data fragmentation. In Section 3 we describe in details the proposed PE-AONT algorithm. In Section 4 we compare PE-AONT with relevant works, analyzing its complexity and level of data protection. Section 5 contains the performance benchmark. We conclude with an insight into future works.

2 Relevant works

This section presents relevant fragmentation techniques. During descriptions we will use the following notation. Initial data are transformed into a set of fragments, of which are needed for data reconstruction. In Bastion scheme, a sequence of ciphertext blocks is transformed into a sequence of transformed blocks.

2.1 Encryption and Straightforward Fragmentation

A computationally secure scheme for fragmentation of larger data was first introduced by Krawczyk in his seminal work Secret Sharing Made Short (SSMS)  [8]. SSMS can be considered as a more general methodology combining three elements: data encryption, data fragmentation, and secret sharing of the encryption key. In the original proposal, data is encrypted using a symmetric encryption algorithm, and then fragmented using an information dispersal algorithm into fragments, of which are needed for the data recovery. Encryption key is split using a perfect secret sharing scheme (typically Shamir’s secret sharing [13]

) and dispersed within data fragments. In contrast to perfect secret sharing schemes (like the one-time pad or Shamir’s scheme), the storage overhead of SSMS does not depend on data size, but is equal to the size of the key per data fragment (for larger data it is practically negligible).

Performance of SSMS depends on implementation details of encryption and dispersal techniques. In modern implementations, systematic error-correction codes are used as the dispersal technique [1, 11]. This improves the performance, but allows a partial decryption of compromised fragments in a situation of key exposure, as the set of fragments contains fragments that are formed from large encrypted data chunks.

Alike SSMS, the AONT-RS method [3, 12] combines symmetric encryption with data dispersal. The difference between those two methodologies lies in the key management. In AONT-RS, the key is exclusive-ored with the data hash.

2.2 Bastion scheme

Recently introduced, Bastion [7] transforms a ciphertext in order to make its decryption computationally infeasible unless all but two ciphertext blocks are being gathered. In more details, the sequence of input ciphertext blocks is multiplied by a square matrix , such that: (i) all diagonal elements are set to 0, and (ii) the remaining off-diagonal elements are set to 1 (such matrix is invertible and , so the inverse transform: ). The multiplication ensures that each output block will depend on all output blocks except from ,. Bastion achieves much better performance than other all-or-nothing transforms as it requires only exclusive-or operations in addition to data encryption.

2.3 Secure Dispersal and Fragmentation

Secure fragmentation and dispersal (SFD) [4] divides a ciphertext encrypted using a block cipher with a mode of operation that creates chaining between consecutive ciphertext blocks (like Cipher Block Chaining) into fragments resisting to key leakage. The complete scheme is composed of three steps. The first step separates consecutive blocks of the ciphertext. The second step separates bits of blocks over final fragments. At last, fragments are dispersed and stored over independent storage locations e.g. clouds. In consequence, an attacker present at a single storage location is unabl e to decrypt a single block of the ciphertext even if she possesses the right encryption key. SFD can be easily integrated within SSMS or AONT-RS methodologies in order to reinforce their protection level by providing additional protection against key exposure.

3 Description of the algorithm

PE-AONT is composed of three steps. In a first step, initial data composed of plaintext blocks are fragmented into fragments, where only of the fragments are encrypted. In a second step, the fragments are transformed using an all-or-nothing transform that blends ciphertext contained inside the encrypted fragments with the plaintext fragments. Both steps are described in details in the following subsections.

3.1 Step1: Data fragmentation and partial encryption

Pseudo-code of the first step of the algorithm - FragmentAndEncrypt- is presented in Figure 1. An example illustrating the process is shown in Figure 2. During this step, initial data , composed of plaintext blocks, is fragmented into fragments. Only

of the fragments are being encrypted using a block cipher algorithm. During the encryption process one more block is inserted containing the initial vector. Therefore, at the end of the processing, each fragment contains

(plaintext or ciphertext) blocks.

1:function FragmentAndEncrypt()
2:     Fragment data into initial fragments
3:     Encrypt of the fragments:
4:     for each fragment ,  do
5:         Encrypt fragment      
Figure 1: Pseudo-code of Step 1 fragmenting data into fragments.
Figure 2: Step 1, example for , , and . First step of the algorithm fragments data composed of blocks into fragments of size , where blocks each. The block is added to ; it corresponds to the ciphertext block containing the Initial Vector used by the cipher.

3.2 Step 2: All-or-nothing transform of the fragments

The pseudo-code of the second step - AONTTransform - is presented in Figure 3. An example illustrating the process is presented in Figure 4. Blocks inside of the fragments are processed simultaneously, from the block to , by sets of elements (in a row by row fashion, each block comes from a different fragment). The all-or-nothing transform presented in [7, 14] is applied over the set of blocks, of which are ciphertext blocks and the remaining ones are plaintext blocks.

1:function AONTransform()
2:     for  do
4:         for  do
Figure 3: Pseudo-code of the Step 2. An all-or-nothing transform is applied over the fragments exclusive-oring their plaintext and ciphertext blocks. denotes the number of blocks inside a fragment. Blocks are processed by ’rows’ of blocks (each block from a different fragment). For each ’row’ of blocks a value containing the exclusive-or of the blocks is first computed. is then exclusive-ored with each value in the row.
Figure 4: Step2, example for and . Fragments are transformed using an all-or-nothing transform that exclusive-ors ciphertext and plaintext blocks. The transform is applied ’row’ by ’row’ over blocks (each block comes from a different fragment) protecting the fragments which were not encrypted.

3.3 Step 3: Dispersing fragments

In a final step, fragments are dispersed over independent storage sites. The dispersal technique depends on values of and .

  • [leftmargin=*]

  • For : no more than fragments can be stored at a single storage site. This comes from the property of the linear all-or-nothing transform protecting transformed blocks unless more than blocks are exposed [7].

  • For : all fragments have to be dispersed over independent storage sites. As the number of plaintext fragments increases, it is possible that same combinations of ciphertext blocks will be used to protect different plaintext blocks. Indeed, data protection level is lower and fragments are only secure when the assumed attacker is not able to compromise more than one storage site. It is the price that has to be paid for speeding up the algorithm processing.

Algorithm Block op. Exclusive-ors K.E.P.
Encryption l-1 b.c. l-1 No
Bastion l-1 b.c. 3l-1 [AON Transform: 2l] Yes
SFD l-1 b.c. l-1 Yes
PE-AONT b.c. Yes*
Table 1: Comparison in terms of number of block cipher operations (block op.), number of exclusive-ors, and the ability to provide a key exposure protection (K.E.P). We assume a plaintext of blocks. (*) PE-AONT provides key exposure protection when . When fragments are protected against key exposure, but data is protected only against an attacker at a single storage site.

4 Theoretical Comparison

We compared PE-AONT with relevant works in terms of amount of computations and ability to protect against key exposure. Results are shown in Table 1. As a baseline, we use encryption that requires block cipher operations and exclusive-or operations (when applied on a plaintext composed of

blocks). Bastion scheme applies only a linear transform over the encrypted data without increasing the number of block cipher operations. Bastion’s transform uses

exclusive-or operations. Counting with the encryption step, Bastion scheme requires exclusive-ors. SFD does not require additional operations in addition to data encryption, as it just disperses data chunks over fragments (depending on the programming technique this also leads to a slight performance overhead of up to 11%). PE-AONT requires only block cipher operations, as it does not encrypt the totality of the data contained inside the fragments. It performs exclusive-or operations: during the encryption of part of the data and during the AONT.

Encryption and straightforward fragmentation do not protect against key exposure: an attacker possessing the key is able to decrypt the transformed data. Bastion protects transformed ciphertext against key exposure unless all but two blocks are being exposed. The level of data protection in PE-AONT depends on the values of and . To achieve the protection against key exposure, each plaintext block should be exclusive-ored with at least two different ciphertext blocks. The minimum value of is then (as the number of input blocks in the AONT transform has to be even, see the explanation in: [7]) and the minimum value of is . Intuitively, the larger the value of , the higher will be the provided level of data protection. When , data cannot be decrypted unless all fragments are gathered. Fragments are thus protected against key exposure. When the protection is lower and ensured only if the attacker is at a single storage site. Indeed, when the attacker compromised more than one site, she can obtain relationships between fragments by exclusive-oring the fragments in her possession (a similar problem occurs when a one-time pas is reused). Therefore, the most interesting configuration of PE-AONT is the one when , as it is not only faster than encryption and straightforward fragmentation, but also protects data against key exposure.

5 Performance comparison with relevant works

Implementation details Relevant algorithms were implemented using the same programing style in JAVA with JDK 1.8 on DELL Latitude E6540, X64-based PC running on Intel® CoreTM i7-4800MQ CPU @ 2.70 GHz with 8 GB RAM, under Windows 7. Standard library was used. A random data sample was used for each measurement and each presented result is an average of 30 measurements. AES-NI with 128 bits key was used for encryption.

Performance comparison between relevant algorithms is presented in Figure 5. The performance of PE-AONT is shown in 4 configurations: two configurations were (and where the protection level is high) and for two configurations when (data protection is traded for better performance). In all configurations, PE-AONT outperforms encryption and straightforward fragmentation. Moreover, it is much faster than two relevant fragmentation techniques protecting fragmented data against key exposure: SFD and Bastion’s scheme.

Figure 5: Performance benchmark. PE-AONT was measured in different configurations of . In all of them it is faster than encryption and straightforward fragmentation. It is also faster than two fragmentation schemes protecting against data exposure: secure fragmentation and dispersal (SFD) and the Bastion scheme.

6 Future works

Our software integrates encryption and PE-AONT in a coarse-grained fashion. In the future, we would like to integrate the algorithm within the encryption process to allow an even better fragmentation performance. We recently improved the Bastion AONT algorithm by decreasing the number of Xor operations needed to protect data against key exposure in  [5] or in  [6]. it would be interesting to analyze and compare in which situation one method is preferable over another one. PE-AONT is very likely best fitted as a lightweight cipher since it is faster than the other AONT algorithms. Moreover, we would like to integrate PE-AONT inside a complete distributed system protecting data using a combination of fragmentation, encryption, and dispersal [9].

7 Conclusion

PE-AONT: a fast fragmentation method combining partial encryption with an all-or-nothing transform was introduced in order to speed up the fragmentation performance. The desired performance and protection levels can be adjusted by the user who can set parameter values to increase performance and decrease protection or the other way around. An experimental evaluation shows that the algorithm achieves better performance than relevant techniques including the most common way of data fragmentation. As such, it can be chosen as a lightweight cipher. Moreover, by carefully choosing parameters values, it protects fragmented data against a situation of key exposure as long as an attacker does not access to the entire set of fragments. We now believe that PE-AONT could be considered as a software component and successfully be integrated within modern distributed systems where rapid protection is required.


  • [1] Bessani, A., Correia, M., Quaresma, B., André, F., Sousa, P.: Depsky: Dependable and secure storage in a cloud-of-clouds. Trans. Storage 9(4), 12:1–12:33 (Nov 2013).,
  • [2] Buchanan, W., Lanc, D., Ukwandu, E., Fan, L., Russell, G.: The future internet: A world of secret shares. Future Internet 7(4),  445 (2015).
  • [3] Chen, L., Laing, T.M., Martin, K.M.: Revisiting and Extending the AONT-RS Scheme: A Robust Computationally Secure Secret Sharing Scheme, pp. 40–57. Springer International Publishing, Cham (2017)
  • [4]

    Kapusta, K., Memmi, G.: Enhancing data protection in a distributed storage environment using structure-wise fragmentation and dispersal of encrypted data. In: 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). pp. 385–390 (Aug 2018).
  • [5] Kapusta, K., Memmi, G.: Poster: Circular aon: A very fast scheme to protect encrypted data against key exposure. In: ACM CCS’18. Toronto, Canada (October 2018)
  • [6] Kapusta, K., Memmi, G.: Selective all-or-nothing transform: Protecting outsourced data against key exposure. In: Proc. of 10th Int. Symp, CSS, LNCS 11161. pp. 181–193. Springer, Amalfi, Italy (October 2018)
  • [7] Karame, G.O., Soriente, C., Lichota, K., Capkun, S.: Securing cloud data under key exposure. IEEE Transactions on Cloud Computing pp. 1–1 (2018).
  • [8] Krawczyk, H.: Secret sharing made short. In: Proceedings of the 13th Annual International Cryptology Conference on Advances in Cryptology. pp. 136–146. CRYPTO ’93, Springer-Verlag, London, UK (1994),
  • [9] Memmi, G., Kapusta, K., Qiu, H.: Data protection: Combining fragmentation, encryption, and dispersion. In: 2015 International Conference on Cyber Security of Smart Cities, Industrial Control System and Communications (SSIC). pp. 1–9 (August 2015).
  • [10] Rabin, M.O.: Efficient dispersal of information for security, load balancing, and fault tolerance. J. ACM 36(2), 335–348 (1989).,
  • [11] Reed, I.S., Solomon, G.: Polynomial Codes Over Certain Finite Fields. Journal of the Society for Industrial and Applied Mathematics 8(2), 300–304 (1960),
  • [12] Resch, J.K., Plank, J.S.: Aont-rs: Blending security and performance in dispersed storage systems. In: Proceedings of the 9th USENIX Conference on File and Stroage Technologies. pp. 14–14. FAST’11, Berkeley, CA, USA (2011),
  • [13] Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (Nov 1979).,
  • [14] Stinson, D.R.: Something about all or nothing (transforms). Des. Codes Cryptography 22(2), 133–138 (Mar 2001).,