restic/changelog/unreleased/issue-5291

Security: Mitigate attack on content-defined chunking algorithm

Restic uses [Rabin Fingerprints](https://restic.net/blog/2015-09-12/restic-foundation1-cdc/)
for its content-defined chunker. The algorithm relies on a secret polynomial
to split files into chunks.

As shown in the paper "[Chunking Attacks on File Backup Services using Content-Defined Chunking](https://eprint.iacr.org/2025/532.pdf)"
by Boris Alexeev, Colin Percival and Yan X Zhang, an
attacker that can observe chunk sizes for a known file can derive the secret
polynomial. Knowledge of the polynomial might in some cases allow an attacker
to check whether certain large files are stored in a repository.

A practical attack is nevertheless hard as restic merges multiple chunks into
opaque pack files and by default processes multiple files in parallel. This
likely prevents an attacker from matching pack files to the attacker-known file
and thereby prevents the attack.

We have added a mitigation to restic, which randomizes how chunks are assembled
into pack files. This prevents an attacker from guessing which chunks are part
of a pack file and thereby prevents learning the chunk sizes.

https://github.com/restic/restic/issues/5291
https://github.com/restic/restic/pull/5295
add changelog and update threat model 2025-03-22 22:20:36 +01:00			`Security: Mitigate attack on content-defined chunking algorithm`

			`Restic uses [Rabin Fingerprints](https://restic.net/blog/2015-09-12/restic-foundation1-cdc/)`
			`for its content-defined chunker. The algorithm relies on a secret polynomial`
			`to split files into chunks.`

			`As shown in the paper "[Chunking Attacks on File Backup Services using Content-Defined Chunking](https://eprint.iacr.org/2025/532.pdf)"`
			`by Boris Alexeev, Colin Percival and Yan X Zhang, an`
			`attacker that can observe chunk sizes for a known file can derive the secret`
			`polynomial. Knowledge of the polynomial might in some cases allow an attacker`
			`to check whether certain large files are stored in a repository.`

			`A practical attack is nevertheless hard as restic merges multiple chunks into`
			`opaque pack files and by default processes multiple files in parallel. This`
			`likely prevents an attacker from matching pack files to the attacker-known file`
			`and thereby prevents the attack.`

			`We have added a mitigation to restic, which randomizes how chunks are assembled`
			`into pack files. This prevents an attacker from guessing which chunks are part`
			`of a pack file and thereby prevents learning the chunk sizes.`

			`https://github.com/restic/restic/issues/5291`
			`https://github.com/restic/restic/pull/5295`