Secure Broadcast Encryption With Reverse Firewalls on Corrupted Machines

In the era of expanding data volumes, users tend to encrypt data and upload their data to cloud servers. Broadcast encryption (BE) facilitates one to many secure data sharing and enjoys widespread adoption in many areas (e.g, Pay-TV, digital rights management, cloud storage). Nevertheless, the Snowden revelation in 2013 showed that attackers (e.g., manufacturers and supply-chain intermediaries) could tamper cryptographic implementations and insert backdoors to undermine cryptographic primitives. In this paper, we investigate the feasibility of algorithm substitution attacks (ASAs) on BE and formalize the corresponding adversarial model. Our findings reveal that attackers not only recover a user’s private key via public parameters but also extract a session key via any two consecutive headers, where the session key is encapsulated in the headers. Consequently, our ASAs pose a greater threat compared to previous ASAs targeting encryption primitives. To mitigate this problem, we adopt cryptographic reverse firewall (RF) as a countermeasure to achieve the security of BE against ASAs. We introduce the system model and security model of broadcast encryption with reverse firewalls (BE-RFs). Additionally, we construct an instance and provide a proof that our BE-RFs not only ensures selective identities and chosen plaintext secure (sID-CPA) but also is against ASAs. Subsequently, we implement BE-RFs on both Android devices and computers for experimental evaluations, confirming its efficacy in safeguarding security. Finally, we apply BE-RFs to data sharing in cloud storage.