Make Revocation Cheaper: Hardware-Based Revocable Attribute-Based Encryption

As an advanced one-to-many public key encryption system, attribute-based encryption (ABE) is widely believed to be a promising technology for achieving flexible and fine-grained access control of encrypted data on untrusted storage servers (e.g., public cloud servers). However, user revocation in ABE is a critical but challenging problem, and designing efficient revocable ABE has been an active research topic in the past decade. Almost all the existing revocable ABE schemes incorporate a timestamp in the encryption algorithm such that revoked users cannot decrypt ciphertexts generated in future time intervals. To prevent revoked users from decrypting past ciphertexts, the storage server needs to perform a process called ciphertext delegation (Sahai et al., CRYPTO'12) that periodically updates the timestamp for all ciphertexts. As the number of ciphertexts could be huge in a storage system, ciphertext delegation could pose a huge computation overhead to the server. Motivated by the popularity of commodity Trusted Execution Environment (TEE) technologies, this paper initiates the study on hardware-based revocable ABE (HR-ABE) to eliminate the (unscalable) ciphertext delegation and prevent collusion attacks between an untrusted storage server and revoked users. We formalize this new notion and present an efficient HR-ABE construction that also supports outsourced decryption for resource-constrained data users. Furthermore, HR-ABE is also designed to address the potential secret leakage problem suffered by TEE (e.g., due to side-channel attacks) so that the leakage of secrets possessed by TEE does not lead to leakage of user data. We prove HR-ABE's security formally and benchmark its performance experimentally.