Succinct Specifications of Portable Document Access Policies
Author
Marina Bykova, Mikhail Atallah
Tech report number
CERIAS TR 2004-19
Abstract
When customers need to each be given portable access rights to a subset of documents from a large universe of n available documents, it is often the case that the space available for representing each customer's access rights is limited to much less than n, say it is no more than m bits. This is the case when, e.g., limited-capacity inexpensive cards are used to store the access rights to huge multimedia document databases. How does one represent subsets of a huge set of n elements, when only m bits are available and m is much smaller than n? We use an approach reminiscent of Bloom filters, by assigning to each document a subset of the m bits: If that document is in a customer's subset then we set the corresponding bits to 1 on the customer's card. This guarantees that each customer gets the documents he paid for, but it also gives him access to documents he did not pay for ("false positives"). We want to do so in a manner that minimizes the expected total false positives under various deterministic and probabilistic models: In the former model we assume k customers whose respective subsets are known a priori, whereas in the latter we assume (more realistically) that each document has a probability of being included in a customer's subset. We cannot use randomly assigned bits for each document (in the way Bloom filters do), rather we need to consider the a priori knowledge (deterministic or probabilistic) we are given in each model in order to better assign a subset of the m available bits to each of the n documents. We analyze and give efficient schemes for this problem.
Booktitle
Symposium on Access Control Models and Technologies (SACMAT)
Note
SACMAT'04 is taking place in Yorktown Heights, New York, USA, on June 2-4, 2004.
Affiliation
Purdue University
Publication Date
2004-06-01
Copyright
ACM 1-58113-872-5/04/0006
Keywords
Portable access rights, compact policy representation, access control, access control enforcement, algorithm design, computational complexity