Concessive online/offline attribute based encryption with cryptographic reverse firewalls—secure and efficient fine-grained access control on corrupted machines

Abstract

Attribute based encryption (ABE) has potential to be applied in various cloud computing applications. However, the Snowden revelations show that powerful adversaries can corrupt users’ machines to compromise the security, and many implementations of provably secure encryption schemes may present undetectable vulnerabilities that can expose secret, e.g., the scheme still works properly even some backdoors have been stealthily engineered on users’ machines. Undoubtedly, ABE is also facing the above security threats. Recently, Mironov and Stephens-Davidowitz proposed cryptographic reverse firewall (CRF) to solve the problem. Unfortunately, no CRF-based protection for ABE has been proposed so far due to the complex system model and the extra access structure component. Besides, the encryption scheme in the CRF framework will suffer double computation latency, which is worse for ABE that has already yielded expensive operations. In this paper, we propose a concessive online/offline ciphertext-policy attribute based encryption with cryptographic reverse firewalls (COO-CP-ABE-CRF), which can resist the exfiltration of secret information and achieve selective CPA security. Furthermore, compared with the original scheme without CRF, our scheme reduces the total computation cost by half. Moreover, we develop an extensible library called libabe that is compatible with Android devices, and we implement the prototype on a laptop and a mobile phone. The experimental results indicate that the scheme is efficient and practical.