International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Provable Security for End-to-End Encrypted Cloud Storage

Authors:
Matilda Backendal
Hannah Davis
Felix Günther
Miro Haller
Kenny Paterson
Download:
Search ePrint
Search Google
Presentation: Slides
Abstract: Two years ago, at RWC 2023 in Tokyo, we presented attacks on Mega—an end-to-end encrypted (E2EE) cloud storage provider with over 300 million users—and challenges on the path to designing a secure cloud storage protocol with end-to-end guarantees. Now, it is time for an update. In the past two years, analyses of multiple E2EE cloud storage providers revealed serious flaws in most systems, showing that the entire ecosystem is largely broken. At the same time, Google and Apple launched optional client-side encryption for Google Drive and iCloud, thereby making E2EE cloud storage available to their users (albeit with limited functionality). This is great news for privacy-minded users, but given the vulnerabilities that were discovered in most of the smaller providers, one may ask: how do we know if they are secure? Moreover, the vast majority of cloud storage providers still only use server-side encryption, which provides no protection against server compromise. Why is this the case? And what can we do about it? In this talk, we present the first cryptographic model for secure cloud storage in the malicious server threat model, formalizing E2EE cloud storage. Our model and security notions are motivated by our study of real-world E2EE cloud storage providers. We begin by briefly recapping our insights from analyzing MEGA and Nextcloud, identifying the main challenges that they struggled with. We then give a formal syntax for the core functionality of a cloud storage system, focusing on how we tailored the model to capture the real-world complexity of such systems. We continue by showing how we define the expected end-to-end security guarantees against a potentially compromised or malicious cloud server. Finally, we present the first provably secure E2EE cloud storage protocol. Along the way, we hope to inspire a discussion between academia and industry on the remaining challenges of bringing provably secure E2EE cloud storage to practice.
Video: https://youtu.be/UQEH7TLuNrg
BibTeX
@misc{rwc-2025-35881,
  title={Provable Security for End-to-End Encrypted Cloud Storage},
  note={Video at \url{https://youtu.be/UQEH7TLuNrg}},
  howpublished={Talk given at RWC 2025},
  author={Matilda Backendal and Hannah Davis and Felix Günther and Miro Haller and Kenny Paterson},
  year=2025
}