Break-glass Encryption

  • Alessandra ScafuroEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11443)


“Break-glass” is a term used in IT healthcare systems to denote an emergency access to private information without having the credentials to do so.

In this paper we introduce the concept of break-glass encryption for cloud storage, where the security of the ciphertexts – stored on a cloud – can be violated exactly once, for emergency circumstances, in a way that is detectable and without relying on a trusted party.

Detectability is the crucial property here: if a cloud breaks glass without permission from the legitimate user, the latter should detect it and have a proof of such violation. However, if the break-glass procedure is invoked by the legitimate user, then semantic security must still hold and the cloud will learn nothing. Distinguishing that a break-glass is requested by the legitimate party is also challenging in absence of secrets.

In this paper, we provide a formalization of break-glass encryption and a secure instantiation using hardware tokens. Our construction aims to be a feasibility result and is admittedly impractical. Whether hardware tokens are necessary to achieve this security notion and whether more practical solutions can be devised are interesting open questions.



We thank Laurie Williams for the initial discussion on break-glass encryption, as well as many other insightful conversations. We also thank the anonymous reviewers for their useful comments.

Supplementary material


  1. [ABG+13]
    Ananth, P., Boneh, D., Garg, S., Sahai, A., Zhandry, M.: Differing-inputs obfuscation and applications. IACR Cryptology ePrint Archive 2013, p. 689 (2013)Google Scholar
  2. [AL07]
    Aumann, Y., Lindell, Y.: Security against covert adversaries: efficient protocols for realistic adversaries. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 137–156. Springer, Heidelberg (2007). Scholar
  3. [BCP14]
    Boyle, E., Chung, K.-M., Pass, R.: On extractability obfuscation. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 52–73. Springer, Heidelberg (2014). Scholar
  4. [BGJ+16]
    Bitansky, N., Goldwasser, S., Jain, A., Paneth, O., Vaikuntanathan, V., Waters, B.: Time-lock puzzles from randomized encodings. In: Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science, Cambridge, MA, USA, 14–16 January 2016, pp. 345–356 (2016)Google Scholar
  5. [BM09]
    Barak, B., Mahmoody-Ghidary, M.: Merkle puzzles are optimal—an O(n2)-query attack on any key exchange from a random oracle. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 374–390. Springer, Heidelberg (2009). Scholar
  6. [BM17]
    Barak, B., Mahmoody-Ghidary, M.: Merkle’s key agreement protocol is optimal: an o(n\({}^{\text{2 }}\)) attack on any key agreement from random oracles. J. Cryptol. 30(3), 699–734 (2017)MathSciNetCrossRefGoogle Scholar
  7. [BMTZ17]
    Badertscher, C., Maurer, U., Tschudi, D., Zikas, V.: Bitcoin as a transaction ledger: a composable treatment. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 324–356. Springer, Cham (2017). Scholar
  8. [BN00]
    Boneh, D., Naor, M.: Timed commitments. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 236–254. Springer, Heidelberg (2000). Scholar
  9. [BN08]
    Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptol. 21(4), 469–491 (2008)MathSciNetCrossRefGoogle Scholar
  10. [Can04]
    Canetti, R.: Universally composable signature, certification, and authentication. In: 17th IEEE Computer Security Foundations Workshop (CSFW-17 2004), Pacific Grove, CA, USA, 28–30 June 2004, p. 219 (2004)Google Scholar
  11. [CGLZ18]
    Chung, K.-M., Georgiou, M., Lai, C.-Y., Zikas, V.: Cryptography with dispensable backdoors. IACR Cryptology ePrint Archive 2018, p. 352 (2018)Google Scholar
  12. [CHMV17]
    Canetti, R., Hogan, K., Malhotra, A., Varia, M.: A universally composable treatment of network time. In: 30th IEEE Computer Security Foundations Symposium, CSF 2017, pp. 360–375 (2017)Google Scholar
  13. [GG17]
    Goyal, R., Goyal, V.: Overcoming cryptographic impossibility results using blockchains. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 529–561. Springer, Cham (2017). Scholar
  14. [GGH+13]
    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, Berkeley, CA, USA, 26–29 October, pp. 40–49 (2013)Google Scholar
  15. [GGHW17]
    Garg, S., Gentry, C., Halevi, S., Wichs, D.: On the implausibility of differing-inputs obfuscation and extractable witness encryption with auxiliary input. Algorithmica 79(4), 1353–1373 (2017)MathSciNetCrossRefGoogle Scholar
  16. [GKP+13]
    Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: How to run turing machines on encrypted data. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 536–553. Springer, Heidelberg (2013). Scholar
  17. [GKR08]
    Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: One-time programs. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 39–56. Springer, Heidelberg (2008). Scholar
  18. [GM84]
    Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)MathSciNetCrossRefGoogle Scholar
  19. [Gol04]
    Goldreich, O.: The Foundations of Cryptography: Basic Applications, vol. 2. Cambridge University Press, Cambridge (2004)CrossRefGoogle Scholar
  20. [HL10]
    Hazay, C., Lindell, Y.: Efficient Secure Two-Party Protocols: Techniques and Constructions. ISC. Springer, Heidelberg (2010). Scholar
  21. [Jag15]
    Jager, T.: How to build time-lock encryption. IACR Cryptology ePrint Archive 2015, p. 478 (2015)Google Scholar
  22. [Kat07]
    Katz, J.: Universally composable multi-party computation using tamper-proof hardware. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 115–128. Springer, Heidelberg (2007). Scholar
  23. [KMG17]
    Kaptchuk, G., Miers, I., Green, M.: Managing secrets with consensus networks: fairness, ransomware and access control. IACR Cryptology ePrint Archive 2017, p. 201 (2017)Google Scholar
  24. [LKW15]
    Liu, J., Kakvi, S.A., Warinschi, B.: Extractable witness encryption and timed-release encryption from bitcoin. IACR Cryptology ePrint Archive 2015, p. 482 (2015)Google Scholar
  25. [LPS17]
    Lin, H., Pass, R., Soni, P.: Two-round concurrent non-malleable commitment from time-lock puzzles. IACR Cryptology ePrint Archive 2017, p. 273 (2017)Google Scholar
  26. [MG16]
    Malhotra, A., Goldberg, S.: Attacking NTP’s authenticated broadcast mode. Comput. Commun. Rev. 46(2), 12–17 (2016)CrossRefGoogle Scholar
  27. [MGV+17]
    Malhotra, A., Van Gundy, M., Varia, M., Kennedy, H., Gardner, J., Goldberg, S.: The security of NTP’s datagram protocol. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 405–423. Springer, Cham (2017). Scholar
  28. [MMBK]
    Mills, D., Martin, J., Burbank, J., Kasch, W.: RFC 5905: network time protocol version 4: protocol and algorithms specification. Internet Engineering Task Force (IETF).

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.NCSURaleighUSA

Personalised recommendations