PIRATTE: Proxy-based Immediate Revocation of ATTribute-based Encryption

Access control to data in traditional enterprises is typically enforced through reference monitors. However, as more and more enterprise data is outsourced, trusting third party storage servers is getting challenging. As a result, cryptography, specifically Attribute-based encryption (ABE) is getting popular for its expressiveness. The challenge of ABE is revocation. To address this challenge, we propose PIRATTE, an architecture that supports fine-grained access control policies and dynamic group membership. PIRATTE is built using attribute-based encryption; a key and novel feature of our architecture, however, is that it is possible to remove access from a user without issuing new keys to other users or re-encrypting existing ciphertexts. We achieve this by introducing a proxy that participates in the decryption process and enforces revocation constraints. The proxy is minimally trusted and cannot decrypt ciphertexts or provide access to previously revoked users. We describe the PIRATTE construction and provide a security analysis along with performance evaluation.We also describe an architecture for online social network that can use PIRATTE, and prototype application of PIRATTE on Facebook.