PIRATTE: Proxy-based Immediate Revocation of ATTribute-based Encryption

TL;DR

PIRATTE is a cryptographic architecture enabling fine-grained, dynamic access control and immediate user revocation in attribute-based encryption systems without re-encrypting data or issuing new keys.

Contribution

We introduce PIRATTE, a proxy-based ABE scheme allowing instant user revocation through a minimally trusted proxy, enhancing security and flexibility.

Findings

Supports fine-grained access policies

Enables immediate revocation without re-encryption

Prototype implementation on Facebook

Abstract

Access control to data in traditional enterprises is typically enforced through reference monitors. However, as more and more enterprise data is outsourced, trusting third party storage servers is getting challenging. As a result, cryptography, specifically Attribute-based encryption (ABE) is getting popular for its expressiveness. The challenge of ABE is revocation. To address this challenge, we propose PIRATTE, an architecture that supports fine-grained access control policies and dynamic group membership. PIRATTE is built using attribute-based encryption; a key and novel feature of our architecture, however, is that it is possible to remove access from a user without issuing new keys to other users or re-encrypting existing ciphertexts. We achieve this by introducing a proxy that participates in the decryption process and enforces revocation constraints. The proxy is minimally trusted and cannot decrypt ciphertexts or provide access to previously revoked users. We describe the PIRATTE construction and provide a security analysis along with performance evaluation.We also describe an architecture for online social network that can use PIRATTE, and prototype application of PIRATTE on Facebook.