@InProceedings{DJORx12,
  author =       { Marten van Dijk and Ari Juels and Alina Oprea and Ronald L. Rivest and Emil Stefanov and Nikos Triandopoulos },
  title =        { Hourglass schemes: how to prove that cloud files are encrypted },
  doi =          { 10.1145/2382196.2382227 },                  
  acm =          { 6741717 },
  booktitle =    { Proc. CCS'12 ACM Conference on Computer and Communications Security },
  urla =         { <a href="http://www.sigsac.org/ccs/CCS2012/">CCS'12</a> },
  pages =        { 265--280 },
  date =         { 2012-10-16/2012-10-18 },                  
  OPTyear =      { 2012 },
  OPTmonth =     { Oct. 16--18 },
  eventtitle =   { CCS'12 },
  eventdate =    { 2012-10-16/2012-10-18 },                  
  venue =        { Raleigh, NC },                  
  editor =       { George Danezis and Virgil Gligor },
  publisher =    { ACM },
  keywords =     { cloud storage security, cloud auditing, challenge-response protocol, economic security model },
  abstract =     { We consider the following challenge: How can a
                  cloud storage provider prove to a tenant that it's
                  encrypting files at rest, when the provider itself
                  holds the corresponding encryption keys? Such proofs
                  demonstrate sound encryption policies and file
                  confidentiality. (Cheating, cost-cutting, or misconfigured providers may bypass the
                  computation/management burdens of encryption and
                  store plaintext only.)  To address this problem, we
                  propose hourglass schemes, protocols that prove
                  correct encryption of files at rest by imposing a
                  resource requirement (e.g., time, storage or
                  computation) on the process of translating files
                  from one encoding domain (i.e., plaintext) to a
                  different, target domain (i.e., ciphertext). Our
                  more practical hourglass schemes exploit common
                  cloud infrastructure characteristics, such as
                  limited file-system parallelism and the use of
                  rotational hard drives for at-rest files. For files
                  of modest size, we describe an hourglass scheme that
                  exploits trapdoor one-way permutations to prove
                  correct file encryption whatever the underlying
                  storage medium.  We also experimentally validate the
                  practicality of our proposed schemes, the fastest of
                  which incurs minimal overhead beyond the cost of
                  encryption. As we show, hourglass schemes can be
                  used to verify properties other than correct
                  encryption, e.g., embedding of \provenance tags" in
                  files for tracing the source of leaked files. Of
                  course, even if a provider is correctly storing a
                  le as ciphertext, it could also store a plaintext
                  copy to service tenant requests more efficiently.
                  Hourglass schemes cannot guarantee ciphertext-only
                  storage, a problem inherent when the cloud manages
                  keys. By means of experiments in Amazon EC2,
                  however, we demonstrate that hourglass schemes
                  provide strong incentives for economically rational
                  cloud providers against storage of extra plaintext
                  file copies.  },
}