Secure Length-Preserving All-or-Nothing Transform

Abstract

When a hard drive (HDD) is recycled, it is recommended that all files on the HDD are repeatedly overwritten with random strings for protecting their confidentiality. However, it takes a long time to overwrite them. This problem is solved by applying the all-or-nothing transform (AONT) to the filesystem of the HDD. To use the HDD economically, it is desirable to use a length-preserving AONT (LP-AONT). Whereas previous AONTs cause the increase of size of a file, and no LP-AONT is secure under previous security definitions. However, it does not mean that the LP-AONT is useless;previous security definitions are too strict in practical applications. Then, by introducing the ambiguity of a message, we propose more practical security definitions of the AONT. We also show the secure implementation of the LP-AONT under the proposed security definitions. The analysis shows that our implementation is nearly optimal in terms of the success probability of an adversary. It means that the ambiguity of one message block allows us to construct the LP-AONT as secure as previous AONTs.