Guaranteeing anonymity in attribute-based authorization

Attribute-based methods such as attribute-based access control make decisions based on attributes possessed by a subject rather than the subject’s identity. This allows for anonymous authorization but does not guarantee anonymity. If a policy can be composed that few subjects possess attributes to satisfy and is used for access control, the system can guess with high probability the requesting subject’s identity. Other approaches to achieving anonymity in attribute-based authorization do not address this attribute distribution problem. Suppose polices contain conjunctions of at most $t$ attributes and the system must not be able to guess with probability greater than $\frac{1}{r}$ the identity of a subject using a policy for authorization. The anonymity guarantee is $r$ for maximum credential size $t$. An anonymizing array is a combinatorial array proposed as an abstraction to address the distribution problem by ensuring that any assignment of values to $t$ attributes appearing in the array appears at least $r$ times. Anonymizing arrays are related to covering arrays with higher coverage, but have an additional property, homogeneity, due to their application domain. We discuss the application of anonymizing arrays to guarantee anonymous authorization in attribute-based methods. Additionally, we develop metrics to compare arrays with the same parameters.