Attribute pooling for Cryptographic Access Control

The need to securely share classified information is a long-standing open problem, especially in large and dynamic environments. Multiple large scale approaches, such as NATO Object Level Protection (OLP) and Content-based Protection and Release (CPR) address parts of this problem. CPR contains an example for enforcement paradigm called Cryptographic Access Control (CAC), to enable combining protection and release policies with content, user and terminal properties (or attributes) cryptographically. The main element of CAC in this case is called attribute-based encryption, or ABE. With ABE it is possible to enforce very fine-grained policies, but combining attributes from users and terminals for general policies is cumbersome and not directly possible with existing schemes. We present in this paper a key-management encryption scheme on top of a multi-authority ABE solving the key pooling problem. Direct applications include a more efficient and general CAC approach for e.g. CPR to enable more secure handling of multi-level secure, encrypted content. Indirectly, the more general framework of CAC itself is completed with this functionality.