Self sovereign and blockchain based access control: Supporting attributes privacy with zero knowledge

Recent years have witnessed, especially in Europe, a shift aimed at bringing users back at the center of digital systems. This has driven innovation towards the affirmation of decentralized systems, in line with the Self Sovereign Identity paradigm. User control over the consumption and disclosure of their data is a key topic of such drive. In this paper we show how it is possible to apply this increasingly popular concept to a traditionally centralized and opaque digital process: Access Control systems. To this aim we expand the XACML standard for Attribute Based Access Control systems with the novel concept of private attributes, i.e. attributes whose values should not be disclosed while still contributing to a policy evaluation result after user consent. Basing our proposal on blockchain systems, we show how to leverage smart contracts and zero knowledge proofs to allow for transparent policies evaluation without disclosing the value of such sensible attributes. Beside formalizing our goals, presenting the system architecture, and discussing its advantages and drawbacks with respect to the traditional model, we provide a reference example to show our proposal innovative capabilities and provide a prototype experimental evaluation to prove its feasibility.