Guaranteeing Anonymity in Attribute-Based Authorization

TL;DR

This paper introduces anonymizing arrays to ensure strong anonymity guarantees in attribute-based authorization systems, addressing the attribute distribution problem that can compromise user anonymity.

Contribution

It proposes the use of anonymizing arrays to guarantee anonymity in attribute-based access control, along with metrics for comparing array homogeneity.

Findings

Anonymizing arrays can ensure that any attribute combination appears at least r times.

Metrics for local and global homogeneity help compare anonymizing arrays.

The approach addresses the attribute distribution problem in anonymous authorization.

Abstract

Attribute-based methods, such as attribute-based access control and attribute-based encryption, make decisions based on attributes possessed by a subject rather than the subject's identity. While this allows for anonymous authorization -- determining that a subject is authorized without knowing the identity of the subject -- it does not guarantee anonymity. If a policy can be composed such that few subjects possess attributes satisfying the policy, then when the policy is used for access control, in addition to making a grant or deny decision, the system can also guess with high probability the identity of the subject making the request. Other approaches to achieving anonymity in attribute-based authorization do not address this attribute distribution problem. Suppose polices contain conjunctions of at most $t$ attributes and the system must not be able to guess with probability greater than $\frac{1}{r}$ the identity of a subject using a policy for authorization. We say the anonymity guarantee is $r$ for maximum credential size $t$. An anonymizing array is a combinatorial array proposed as an abstraction to address the underlying attribute distribution problem by ensuring that any assignment of values to $t$ attributes appearing in the array appears at least $r$ times. Anonymizing arrays are related to covering arrays with higher coverage, but have an additional desired property, homogeneity, due to their application domain. In this work, we discuss the application of anonymizing arrays to guarantee anonymous authorization in attribute-based methods. Additionally, we develop metrics, local and global homogeneity, to compare anonymizing arrays with the same parameters.