POST provides a shared, secure message storage facility. Application-provided message data is encrypted using a technique known as convergent encryption [7]. Convergent encryption allows a message to be disclosed to selected recipients, while ensuring that copies of a given cleartext message inserted by different users map to the same ciphertext, thus requiring only a single copy of the ciphertext to be stored.
When an application wishes to store message X, POST first computes the cryptographic Hash(X), uses this hash as a key to encrypt X with an symmetric cipher, and then stores the resulting ciphertext at the handle
which is the secure hash of the ciphertext. To decrypt the message, a user must know the hash of the plaintext.
Convergent encryption reduces the storage requirements when multiple copies of the same content tend to be inserted into the store independently. This happens commonly in cooperative applications, for instance, when a given popular document is sent as an email attachment or posted on bulletin boards by different users.
Convergent encryption is vulnerable to certain known plaintext attacks. An attacker who is able to guess the plaintext of a message can verify its existence in the store, but cannot necessarily find out who inserted it. Moreover, since users normally encrypt their private metadata, it is not possible to determine who references the message. Nevertheless, with sensitive content, convergent encryption must be used with care, particularly when the content is of a small size, is highly structured, or is otherwise predictable. In such cases, convergent encryption could be supplemented or replaced by conventional cryptographic methods. A simple change could be to prepend some number of random bits to the plaintext prior to the convergent encryption.