Integrity auditing for multi-copy storage
US-2022318415-A1 · Oct 6, 2022 · US
Systems and methods of secure deduplication of encrypted content
US12505233B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12505233-B2 |
| Application number | US-202318344326-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 29, 2023 |
| Priority date | Jun 29, 2023 |
| Publication date | Dec 23, 2025 |
| Grant date | Dec 23, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems and methods for secure deduplication of encrypted content. A system generally includes a client, a key server, a fingerprint index, and a storage service. The client can perform chunking of a file, hashing of chunks to generate tags, and encryption of chunks using a salted key from the key server. The fingerprint index checks for duplicate ciphertexts using the tags. The storage service saves non-duplicate ciphertext.
First claim
Opening claim text (preview).
The invention claimed is: 1 . A method for secure deduplication of a file on a storage, the method comprising: dividing the file into a plurality of chunks; hashing each of the plurality of chunks to obtain a plurality of unsalted keys, wherein each one of the plurality of unsalted keys is associated with one of the plurality of chunks; salting the plurality of unsalted keys to generate a plurality of salted keys; encrypting each of the plurality of chunks with the plurality of salted keys to generate a plurality of ciphertexts; hashing each of the plurality of ciphertexts to generate a plurality of tags; validating that at least one of the plurality of ciphertexts is already present on the storage using the plurality of tags; verifying each tag in a subset of the plurality of tags that are not already present on the storage matches the corresponding ciphertext by hashing each of a subset of the plurality of ciphertexts that are not already present on the storage; when the verifying of a tag matching the corresponding ciphertext is successful, storing the subset of the plurality of tags that are not already present on the storage and the subset of the plurality of ciphertexts that are not already present on the storage; writing a recipe file to the storage as a sequence of tags and unencrypted salted keys; encrypting the recipe file using public key-private key encryption; and storing the encrypted recipe file on the storage. 2 . The method of claim 1 , further comprising: obscuring whether at least one of the subset of the plurality of ciphertexts is on the storage. 3 . The method of claim 2 , wherein the obscuring comprises: generating an initially random number for each of the subset of the plurality of ciphertexts, each initially random number being associated with a threshold; and storing the initially random number with each of the subset of the plurality of ciphertexts. 4 . The method of claim 3 , further comprising: determining if a certain ciphertext of one of the subset of the plurality of ciphertexts is uploaded by a potential attacker to the storage; incrementing the initially random number for the certain ciphertext; and wherein obscuring whether at least one of the subset of the plurality of ciphertexts comprises generating an obscured indication of whether the certain ciphertext is already stored based on the threshold. 5 . The method of claim 1 , wherein a client encrypting each of the plurality of chunks does not know the salting to generate the plurality of salted keys. 6 . The method of claim 1 , wherein the plurality of salted keys are generated by a program executing on a secure coprocessor. 7 . The method of claim 1 , further comprising: decrypting the encrypted recipe file using public key-private key encryption; retrieving the plurality of ciphertexts using the sequence of tags from the recipe file; decrypting the plurality of ciphertexts using the salted keys from the recipe file to obtain the plurality of chunks; and rearranging the plurality of chunks to recreate the file. 8 . A system for secure deduplication of a file on a storage, the system comprising: a client device including at least one processor and memory operably coupled to the at least one processor, and instructions that, when executed on the at least one processor, cause the at least one processor to implement: a chunking engine configured to divide the file into a plurality of chunks, a hashing engine configured to hash each of the plurality of chunks to obtain a plurality of unsalted keys, wherein each one of the plurality of unsalted keys is associated with one of the plurality of chunks, an encryption engine configured to encrypt each of the plurality of chunks with a plurality of salted keys to generate a plurality of ciphertexts, wherein the hashing engine is further configured to hash each of the plurality of ciphertexts to generate a plurality of tags; a key server including a salting engine configured to salt the plurality of unsalted keys to generate the plurality of salted keys; a fingerprint index including a duplicate identification engine configured to validate that at least one of the plurality of ciphertexts is already present on the storage using the plurality of tags; and a storage service including: a ciphertext verification engine configured to verify each tag in the subset of the plurality of tags that are not already present on the storage matches the corresponding ciphertext by hashing each of the subset of the plurality of ciphertexts that are not already present on the storage, and a storage engine configured to store when the verifying of a tag matching the corresponding ciphertext is successful, the subset of the plurality of tags that are not already present on the storage and the subset of the plurality of ciphertexts that are not already present on the storage; and wherein the client device further includes an input/output engine configured to write a recipe file as a sequence of tags and unencrypted salted keys; and wherein the encryption engine is further configured to encrypt the recipe file using public key-private key encryption, and wherein the storage engine is further configured to store the encrypted recipe file on the storage. 9 . The system of claim 8 , further comprising a rate limiting engine configured to: obscure whether at least one of the subset of the plurality of ciphertexts is on the storage. 10 . The system of claim 9 , wherein the rate limiting engine is configured to obscure whether at least one of the subset of the plurality of ciphertexts that are not already present on the storage is already on the storage including by: generating an initially random number for each of the subset of the plurality of ciphertexts, each initially random number being associated with a threshold; and storing the initially random number with each of the subset of the plurality of ciphertexts. 11 . The system of claim 10 , wherein the rate limiting engine is further configured to obscure whether at least one of the subset of the plurality of ciphertexts is on the storage including by: determining if a certain ciphertext of one of the subset of the plurality of ciphertexts is uploaded by a potential attacker to the storage; incrementing the initially random number for the certain ciphertext; and returning an obscured indication of whether the certain ciphertext is already stored based on the threshold. 12 . The system of claim 8 , wherein the client device does not know the salting to generate the plurality of salted keys. 13 . The system of claim 8 , wherein the salting engine is configured to generate the plurality of salted keys by a program executing on a secure coprocessor. 14 . The system of claim 8 , wherein the encryption engine is further configured to: decrypt the encrypted recipe file using public key-private key encryption; retrieve the plurality of ciphertexts using the sequence of tags from the recipe file; decrypt the plurality of ciphertexts using the salted keys from the recipe file to obtain the plurality of chunks; and rearrange the plurality of chunks to recreate the file. 15 . A non-transitory computer-readable medium comprising instructions that, when executed by a processor, cause the processor to implement: dividing a file into a plurality of chunks; hashing each of the plurality of chunks to obtain a plurality of unsalted keys, wherein each one of the plurality of unsalted keys is associated with one of the plurality of chunks; salting the plurality of unsalted keys to generate a pluralit
Assignees
Inventors
Classifications
- G06F21/6209Primary
to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself · CPC title
- G06F21/602Primary
Providing cryptographic facilities or services · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12505233B2 cover?
- Systems and methods for secure deduplication of encrypted content. A system generally includes a client, a key server, a fingerprint index, and a storage service. The client can perform chunking of a file, hashing of chunks to generate tags, and encryption of chunks using a salted key from the key server. The fingerprint index checks for duplicate ciphertexts using the tags. The storage service…
- Who is the assignee on this patent?
- Acronis Int Gmbh
- What technology area does this patent fall under?
- Primary CPC classification G06F21/6209. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Dec 23 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).