Crypto news: Vanish

01 Oct 2009

One of the recent USENIX Security papers has been getting quite a bit of buzz: Vanish: Increasing Data Privacy with Self-Destructing Data. It's really a very clever paper, proposing a way to do something apparently impossible: ensuring that data (like email) 'disappears' after a certain period of time.

The core idea is this: the data doesn't really disappear, it just becomes unreadable. Specifically, the paper proposes that:

  1. The data in question be encrypted with a fresh key,
  2. That the key be split into many parts, using a secret-sharing scheme,
  3. That these shares be stored at random locations on some peer-to-peer network (specifically, a distributed hash table), and
  4. That instead of sending the data, you send the encrypted data and a list of where to find the key-shares

The underlying assumption is that people will drop out of the peer-to-peer network at some measurable rate, and that when they do, any shares they have will disappear with them. And the security of the key-splitting scheme tells us that when enough key-shares disappear, the key becomes unrecoverable.

(And what's more, the scheme can even be simplified a bit. Technically speaking, the encryption is just for convenience-- you can get away without it by splitting the data itself rather then the key.)

It's a very nice little scheme. It's already gone through one round of attack-and-patch, but that's not what really caught my interest. Instead, I was charmed by how it used secret-splitting schemes in a new and interesting way. I'm a fan of such schemes, you see, for the following reason: they are one of only three cryptographic schemes in the universe that we know to be secure.

It's a dirty little secret of the cryptographic world, but most of what we do ultimately rests on a wing and a prayer. We believe that our schemes are secure, mostly because we believe the underlying mathematical problems are intractable. (I.e., computationally secure.) But we don't know that-- no one has actually proved it. By and large, any cryptographic scheme in actual use could be broken tomorrow. In fact, it is conceivable that someone could figure out how to break all of them. (We call this the 'smart grad-student attack' and we try not to think about it very much.)

However, secret-sharing is different. Along with one-time pads and something called the Carter-Wegman hash functions, it is actually known to be unbreakable (i.e., information-theoretically secure). No matter what else falls, we will still have these three things. So, I always like to see these three algorithms used. It reassures me that even if the world changes tomorrow and computational security is revealed to be mirage, we will still have some small pieces of crypto left to play with.

You are not watching this post, click to start watching
Share this
Tags:

So, what do you mean when you

So, what do you mean when you say impossible? Because, naively, I would think that throwing my hard drive into the sun would destroy the data on it. And I gather there are similarly nasty but practical-on-earth things one can do. So...is this somehow, in some information-theoretic sense, not actually destroying data? Or do you mean "impossible to destroy via software-only means"? Or "impossible to destroy shared data"? Or what?
Posted by Andromeda on Oct 13th, 2009 at 4:24 pm.

Yes, throwing your hard drive

Yes, throwing your hard drive into the sun would destroy the information on that drive-- so long as it existed *only* on that drive. The Vanish paper, on the other hand, talks about information that is communicated. Once you send some email, you have no control over where that email might be stored. It's in the inbox of the recipients, of course, but also several caches all over the internet. You can throw your drive into the sun all you want at that point, but you haven't destroyed that information. And the ability to destroy that information is beyond your power at that point, unless you also throw into the sun the drives of your ISP, the recipient's ISP, the recipient themselves, the NSA, and any other system that might have acted as a 'hop' on the route from you to the recipient. So when I say it's 'impossible' to destroy data, I mean that it is beyond the power of any individual (and most organizations) to destroy all copies of information that have been communicated over email or embedded on a web-page. Does that make more sense?

Posted by Jon on Oct 27th, 2009 at 9:40 pm.