Guaranteeing Anonymity in Attribute-Based Authorization

Attribute-based methods, such as attribute-based access control and attribute-based encryption, make decisions based on attributes possessed by a subject rather than the subject's identity. While this allows for anonymous authorization -- determining that a subject is authorized without knowing the identity of the subject -- it does not guarantee anonymity. If a policy can be composed such that few subjects possess attributes satisfying the policy, then when the policy is used for access control, in addition to making a grant or deny decision, the system can also guess with high probability the identity of the subject making the request. Other approaches to achieving anonymity in attribute-based authorization do not address this attribute distribution problem. Suppose polices contain conjunctions of at most $t$ attributes and the system must not be able to guess with probability greater than $\frac{1}{r}$ the identity of a subject using a policy for authorization. We say the anonymity guarantee is $r$ for maximum credential size $t$. An anonymizing array is a combinatorial array proposed as an abstraction to address the underlying attribute distribution problem by ensuring that any assignment of values to $t$ attributes appearing in the array appears at least $r$ times. Anonymizing arrays are related to covering arrays with higher coverage, but have an additional desired property, homogeneity, due to their application domain. In this work, we discuss the application of anonymizing arrays to guarantee anonymous authorization in attribute-based methods. Additionally, we develop metrics, local and global homogeneity, to compare anonymizing arrays with the same parameters.