Skip to main content

Break-glass Encryption

  • Conference paper
  • First Online:
Public-Key Cryptography – PKC 2019 (PKC 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11443))

Included in the following conference series:


“Break-glass” is a term used in IT healthcare systems to denote an emergency access to private information without having the credentials to do so.

In this paper we introduce the concept of break-glass encryption for cloud storage, where the security of the ciphertexts – stored on a cloud – can be violated exactly once, for emergency circumstances, in a way that is detectable and without relying on a trusted party.

Detectability is the crucial property here: if a cloud breaks glass without permission from the legitimate user, the latter should detect it and have a proof of such violation. However, if the break-glass procedure is invoked by the legitimate user, then semantic security must still hold and the cloud will learn nothing. Distinguishing that a break-glass is requested by the legitimate party is also challenging in absence of secrets.

In this paper, we provide a formalization of break-glass encryption and a secure instantiation using hardware tokens. Our construction aims to be a feasibility result and is admittedly impractical. Whether hardware tokens are necessary to achieve this security notion and whether more practical solutions can be devised are interesting open questions.

A. Scafuro—Supported by NSF grant #1012798.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others


  1. 1.

    The name break-glass encryption is inspired by the break-glass procedures used in access control of various systems (healthcare, computer systems, etc.). In a break-glass procedure the system administrator breaks into the account of a certain user without the legitimate credentials in order to retrieve his data.

  2. 2.

    We do not formally cover this cheating case, as it requires formalization of the network interface, which is outside the scope of this work.

  3. 3.

    To see why, note that, besides the access to the token, a cloud only has a list of ciphertexts. The output of the token is either a ciphertext, or a message m, but no other information about the secret key is given in output. Thus, if a cloud is able to decrypt a ciphertext, without calling the break command, this cloud is violating the CPA-security of the ciphertext.


  1. Ananth, P., Boneh, D., Garg, S., Sahai, A., Zhandry, M.: Differing-inputs obfuscation and applications. IACR Cryptology ePrint Archive 2013, p. 689 (2013)

    Google Scholar 

  2. Aumann, Y., Lindell, Y.: Security against covert adversaries: efficient protocols for realistic adversaries. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 137–156. Springer, Heidelberg (2007).

    Chapter  Google Scholar 

  3. Boyle, E., Chung, K.-M., Pass, R.: On extractability obfuscation. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 52–73. Springer, Heidelberg (2014).

    Chapter  Google Scholar 

  4. Bitansky, N., Goldwasser, S., Jain, A., Paneth, O., Vaikuntanathan, V., Waters, B.: Time-lock puzzles from randomized encodings. In: Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science, Cambridge, MA, USA, 14–16 January 2016, pp. 345–356 (2016)

    Google Scholar 

  5. Barak, B., Mahmoody-Ghidary, M.: Merkle puzzles are optimal—an O(n2)-query attack on any key exchange from a random oracle. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 374–390. Springer, Heidelberg (2009).

    Chapter  Google Scholar 

  6. Barak, B., Mahmoody-Ghidary, M.: Merkle’s key agreement protocol is optimal: an o(n\({}^{\text{2 }}\)) attack on any key agreement from random oracles. J. Cryptol. 30(3), 699–734 (2017)

    Article  MathSciNet  Google Scholar 

  7. Badertscher, C., Maurer, U., Tschudi, D., Zikas, V.: Bitcoin as a transaction ledger: a composable treatment. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 324–356. Springer, Cham (2017).

    Chapter  Google Scholar 

  8. Boneh, D., Naor, M.: Timed commitments. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 236–254. Springer, Heidelberg (2000).

    Chapter  Google Scholar 

  9. Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptol. 21(4), 469–491 (2008)

    Article  MathSciNet  Google Scholar 

  10. Canetti, R.: Universally composable signature, certification, and authentication. In: 17th IEEE Computer Security Foundations Workshop (CSFW-17 2004), Pacific Grove, CA, USA, 28–30 June 2004, p. 219 (2004)

    Google Scholar 

  11. Chung, K.-M., Georgiou, M., Lai, C.-Y., Zikas, V.: Cryptography with dispensable backdoors. IACR Cryptology ePrint Archive 2018, p. 352 (2018)

    Google Scholar 

  12. Canetti, R., Hogan, K., Malhotra, A., Varia, M.: A universally composable treatment of network time. In: 30th IEEE Computer Security Foundations Symposium, CSF 2017, pp. 360–375 (2017)

    Google Scholar 

  13. Goyal, R., Goyal, V.: Overcoming cryptographic impossibility results using blockchains. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 529–561. Springer, Cham (2017).

    Chapter  Google Scholar 

  14. Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, Berkeley, CA, USA, 26–29 October, pp. 40–49 (2013)

    Google Scholar 

  15. Garg, S., Gentry, C., Halevi, S., Wichs, D.: On the implausibility of differing-inputs obfuscation and extractable witness encryption with auxiliary input. Algorithmica 79(4), 1353–1373 (2017)

    Article  MathSciNet  Google Scholar 

  16. Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: How to run turing machines on encrypted data. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 536–553. Springer, Heidelberg (2013).

    Chapter  Google Scholar 

  17. Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: One-time programs. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 39–56. Springer, Heidelberg (2008).

    Chapter  Google Scholar 

  18. Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)

    Article  MathSciNet  Google Scholar 

  19. Goldreich, O.: The Foundations of Cryptography: Basic Applications, vol. 2. Cambridge University Press, Cambridge (2004)

    Book  Google Scholar 

  20. Hazay, C., Lindell, Y.: Efficient Secure Two-Party Protocols: Techniques and Constructions. ISC. Springer, Heidelberg (2010).

    Book  MATH  Google Scholar 

  21. Jager, T.: How to build time-lock encryption. IACR Cryptology ePrint Archive 2015, p. 478 (2015)

    Google Scholar 

  22. Katz, J.: Universally composable multi-party computation using tamper-proof hardware. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 115–128. Springer, Heidelberg (2007).

    Chapter  Google Scholar 

  23. Kaptchuk, G., Miers, I., Green, M.: Managing secrets with consensus networks: fairness, ransomware and access control. IACR Cryptology ePrint Archive 2017, p. 201 (2017)

    Google Scholar 

  24. Liu, J., Kakvi, S.A., Warinschi, B.: Extractable witness encryption and timed-release encryption from bitcoin. IACR Cryptology ePrint Archive 2015, p. 482 (2015)

    Google Scholar 

  25. Lin, H., Pass, R., Soni, P.: Two-round concurrent non-malleable commitment from time-lock puzzles. IACR Cryptology ePrint Archive 2017, p. 273 (2017)

    Google Scholar 

  26. Malhotra, A., Goldberg, S.: Attacking NTP’s authenticated broadcast mode. Comput. Commun. Rev. 46(2), 12–17 (2016)

    Article  Google Scholar 

  27. Malhotra, A., Van Gundy, M., Varia, M., Kennedy, H., Gardner, J., Goldberg, S.: The security of NTP’s datagram protocol. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 405–423. Springer, Cham (2017).

    Chapter  Google Scholar 

  28. Mills, D., Martin, J., Burbank, J., Kasch, W.: RFC 5905: network time protocol version 4: protocol and algorithms specification. Internet Engineering Task Force (IETF).

Download references


We thank Laurie Williams for the initial discussion on break-glass encryption, as well as many other insightful conversations. We also thank the anonymous reviewers for their useful comments.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Alessandra Scafuro .

Editor information

Editors and Affiliations

A Additional Security Definitions

A Additional Security Definitions

Ciphertext Integrity INT-CTX [BN08]. The definition of Cipher Integrity INT-CTX, introduced by Bellare et al. in [BN08] is described in Fig. 9.

Fig. 9.
figure 9

INT-CTX game [BN08]

Fig. 10.
figure 10

\(\mathcal {F}_{\mathsf{wrap}}\) functionality [Kat07]

Ideal Functionality \(\mathcal {F}_{\mathsf{wrap}}\). For completeness we report the ideal \(\mathcal {F}_{\mathsf{wrap}}\) functionality in Fig. 10.

Rights and permissions

Reprints and permissions

Copyright information

© 2019 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Scafuro, A. (2019). Break-glass Encryption. In: Lin, D., Sako, K. (eds) Public-Key Cryptography – PKC 2019. PKC 2019. Lecture Notes in Computer Science(), vol 11443. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-17258-9

  • Online ISBN: 978-3-030-17259-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics