Beyond Confidentiality: Framing-Resistant Secure Vault Schemes
摘要
Vault schemes have recently been proposed as a cryptographic abstraction for storing sensitive and non-sensitive data in outsourced databases while preserving confidentiality guarantees. Prior work has focused primarily on privacy goals, formalized through indistinguishability notions that protect sensitive records even when an adversary has access to tokens and the database contents. In this work we argue that confidentiality alone is not sufficient: a new integrity threat arises in the form of framing attacks, in which a malicious server or colluding user forges records that appear to originate from an honest client. We introduce framing resistance as a complementary security goal for vaults, and formalize it via a new indistinguishability game, IND-FR. We then present two constructions achieving this notion. The first binds each record to a client through digital signatures or MACs, reducing framing resistance to the unforgeability of the underlying primitive. The second eliminates the need for client-held keys by leveraging transparency logs and server-issued signed receipts, reducing framing resistance to signature unforgeability and the append-only property of the log. Both constructions are proven secure under standard assumptions. Finally, we compare the two approaches, highlighting tradeoffs in security guarantees, trust models, and deployment complexity. Our results show that framing resistance is both achievable and practical, and that secure vaults can go beyond confidentiality to offer strong integrity protections suitable for real-world cloud and data-sharing environments.