Paper 2016/902

Universally Composable Cryptographic Role-Based Access Control

Bin Liu and Bogdan Warinschi


In cryptographic access control sensitive data is protected by cryptographic primitives and the desired access structure is enforced through appropriate management of the secret keys. In this paper we study rigorous security definitions for the cryptographic enforcement of Role Based Access Control (RBAC). We propose the first simulation-based security definition within the framework of Universal Composability (UC). Our definition is natural and intuitively appealing, so we expect that our approach would carry over to other access models. Next, we establish two results that clarify the strength of our definition when compared with existing ones that use the game-based definitional approach. On the positive side, we demonstrate that both read and write-access guarantees in the sense of game-based security are implied by UC security of an access control system. Perhaps expected, this result serves as confirmation that the definition we propose is sound. Our main technical result is a proof that simulation-based security requires impractical assumptions on the encryption scheme that is employed. As in other simulation-based settings, the source of inefficiency is the well known ``commitment problem'' which naturally occurs in the context of cryptographic access control to file systems.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Major revision. ProvSec 2016
Access ControlUniversal Composability
Contact author(s)
bin liu @ bristol ac uk
2016-09-16: revised
2016-09-15: received
See all versions
Short URL
Creative Commons Attribution


      author = {Bin Liu and Bogdan Warinschi},
      title = {Universally Composable Cryptographic Role-Based Access Control},
      howpublished = {Cryptology ePrint Archive, Paper 2016/902},
      year = {2016},
      doi = {10.1007/978-3-319-47422-9_4},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.