Privacy-preserving attribute-based access control using homomorphic encryption

Authentication and access control for Cyber-Physical Systems (CPSs) are pivotal for protecting systems and their users from problems related to harmful actions and the malicious use of retrieved data. In some situations, making access decisions requires using user information, thereby challenging their privacy. Attribute-based access control (ABAC) supports dynamic and context-aware access decisions that are attractive in cyber-physical system environments. However, privacy preservation for access decisions is an open issue for authorization and is not supported by existing ABAC models. For example, if access decisions need to be made based on private attribute values such as health data, the corresponding access control policies need to be revealed. This paper reviews the ABAC, homomorphic encryption (HE), and zero-knowledge proof (ZKP) approaches, confirming the gap in privacy preservation in ABAC. Based on this observation, we further present the application of a new ZKP-based protocol in which ABAC allows for the privacy-preserving evaluation of attributes. This protocol is implemented and evaluated in terms of its performance and security. The evaluation demonstrates that there is a possibility for privacy-preserving ABAC, which may benefit the use of CPS, e.g., in underground and open-pit mines.