International Association
for Cryptologic Research

As privacy-awareness rises, demand for end-to-end encrypted (E2EE) services is increasing. However, not all systems live up to their advertised security guarantees. MEGA—the largest provider of E2EE cloud storage with over 260 million users—failed to protect the confidentiality and integrity of their customers’ data, as our recent paper “MEGA: Malleable Encryption Goes Awry” showed. In this talk, we take a step back and discuss why it is surprisingly challenging to design a privacy-preserving cloud storage protocol that is secure even when the cloud provider is actively malicious. Recent academic effort focused on building file sharing systems which hide metadata. However, systems in practice still face much more fundamental challenges including key management, asynchronously coalescing updates stemming from collaboration on shared E2EE files, and cryptographic agility. We briefly discuss the approach of MEGA and how it was susceptible to a key recovery attack that allowed a malicious cloud provider to decrypt user files, among other vulnerabilities. Based on the attacks on MEGA, we suggest best practices for designing secure E2EE cloud storage systems. Unfortunately, it is infeasible for MEGA to completely redesign their system due to scale and backward compatibility. Even if a redesign was possible, the security they currently aim to provide still falls short of offering desirable properties like post-compromise security, forward security, and key rotation. With this in mind, we point out open questions for future work and advocate for a standardization process for a cloud storage design.

Cryptographic agility frameworks enable the transition from one cryptographic algorithm or implementation to another in a computing system or application. As quantum safe algorithms (PQC) steadily progress through the NIST-led standardization process, we ask whether the research community has done enough to map and expand cryptographic deployment paradigms, most developed decades ago, to modern compute infrastructures. The problem is acutely felt by the operators of such infrastructures where applications and systems are highly distributed, involve many software and hardware components, bring together multiple stakeholders, and require policy-driven control. Since the security, performance, and manageability of cryptography matters, we contend that these are not extraneous concerns that lack connection to the applied research community.