PIRATTE: Proxy-based Immediate Revocation of ATTribute-based Encryption
This addresses the problem of dynamic access control for enterprises outsourcing data, offering a practical solution with potential applications in online social networks like Facebook.
The paper tackles the challenge of revocation in Attribute-based Encryption (ABE) for secure data access control by proposing PIRATTE, an architecture that enables immediate user revocation without re-encrypting data or reissuing keys, using a minimally trusted proxy.
Access control to data in traditional enterprises is typically enforced through reference monitors. However, as more and more enterprise data is outsourced, trusting third party storage servers is getting challenging. As a result, cryptography, specifically Attribute-based encryption (ABE) is getting popular for its expressiveness. The challenge of ABE is revocation. To address this challenge, we propose PIRATTE, an architecture that supports fine-grained access control policies and dynamic group membership. PIRATTE is built using attribute-based encryption; a key and novel feature of our architecture, however, is that it is possible to remove access from a user without issuing new keys to other users or re-encrypting existing ciphertexts. We achieve this by introducing a proxy that participates in the decryption process and enforces revocation constraints. The proxy is minimally trusted and cannot decrypt ciphertexts or provide access to previously revoked users. We describe the PIRATTE construction and provide a security analysis along with performance evaluation.We also describe an architecture for online social network that can use PIRATTE, and prototype application of PIRATTE on Facebook.