IBBE-SGX: Cryptographic Group Access Control using Trusted Execution Environments

TL;DR

IBBE-SGX introduces an efficient cryptographic access control extension leveraging Intel SGX to enable secure, scalable, and zero-knowledge group management for cloud storage, significantly improving performance over traditional methods.

Contribution

The paper presents IBBE-SGX, a novel approach combining SGX with IBBE for scalable, efficient, and privacy-preserving access control in cloud environments.

Findings

Membership changes are 12 times faster than hybrid encryption.

Group metadata size is reduced by a factor of one million.

The approach provides zero knowledge guarantees.

Abstract

While many cloud storage systems allow users to protect their data by making use of encryption, only few support collaborative editing on that data. A major challenge for enabling such collaboration is the need to enforce cryptographic access control policies in a secure and efficient manner. In this paper, we introduce IBBE-SGX, a new cryptographic access control extension that is efficient both in terms of computation and storage even when processing large and dynamic workloads of membership operations, while at the same time offering zero knowledge guarantees. IBBE-SGX builds upon Identity-Based Broadcasting Encryption (IBBE). We address IBBE's impracticality for cloud deployments by exploiting Intel Software Guard Extensions (SGX) to derive cuts in the computational complexity. Moreover, we propose a group partitioning mechanism such that the computational cost of membership update is bound to a fixed constant partition size rather than the size of the whole group. We have implemented and evaluated our new access control extension. Results highlight that IBBE-SGX performs membership changes 1.2 orders of magnitude faster than the traditional approach of Hybrid Encryption (HE), producing group metadata that are 6 orders of magnitude smaller than HE, while at the same time offering zero knowledge guarantees.