$\newcommand{\true}{\mathsf{true}} \newcommand{\false}{\mathsf{false}} \newcommand{\grant}{\mathtt{grant}} \newcommand{\deny}{\mathtt{deny}} \newcommand{\undefined}{\mathtt{undef}} \newcommand{\conflict}{\mathtt{conflict}} \newcommand{\policy}{pol} \newcommand{\goc}[1]{\mathsf{GoC}\!\left(#1\right)} \newcommand{\doc}[1]{\mathsf{DoC}\!\left(#1\right)} \newcommand{\gobl}[1]{\mathsf{GObl}\!\left(#1\right)} \newcommand{\dobl}[1]{\mathsf{DObl}\!\left(#1\right)} \newcommand{\accesscontrolname}{\textsf{FROST}}$

Test vectors for EPIC use cases

Documents

Contents

TODO - the dummy values have to be correctly typed once the interfaces, data types, etc are specified and the choices on hash functions, signature algorithms, etc are made - the hard-coded values have to be replaced by attribute URIs once these are specified

EPIC 1: Remote and Offline Device Access - Case 4

  1. I as a user want to use an App to access my device (e.g. open the car and start the engine) offline or remotely.
  • “user” referring to “my device” is the owner of the “device”; the owner is the subject of any request
  • “device” is the object of any request, in this case it is the car of the owner
  • actions are “open the car” and “start the engine”
  • offline access request requires policy to be stored on the resource (or policy to be included in an access token)
  • remote access request requires the resource and the owner to be online, therefore resource can retrieve policy from a remote policy store as well, but the policy could also be stored on the resource
  • necessary test data would be
    • policy which checks for some attribute values
    • compiled policy in intermediate language
    • owner’s signature over compiled policy (or some hash)
    • representation of compiled policy, either on the resource or remotely stored, and complemented with an unique identifier
    • access requests for specific actions on the object by the subject
    • decision on the access request
    • evaluation of obligations following that decision
    • enforced action as combination of decision and obligations

| Vector | Value | |:-|:-| | owner secret key | 0x7d2a...207f | | owner public key | 0x69a8...18d2 | | resource public key | 0x9e03...7f25 | | device action | act::openDoor | | policy | GrantIf (
  Const Subj =*= Entity "owner" .&&.
  Const Obj =*= Entity "resource" .&&.
&emsp;&emsp;Const Act =*= Entity "vehicle" <.> "openDoor"
) ["log_event"] | | obligation | grant {log_event} and deny {} | | compiled policy | 0x84a9...c37d | | policy ID | 0x649e...68a1 | | owner signature
over policy ID | 0x83f1...62d7 | | request subject
(owner pk) | 0x69a8...18d2 | | request object
(resource pk) | 0x9e03...7f25 | | request action
(device act) | act::openDoor | | decision | grant | | execution | grant |

Policy and associated obligations

// TODO: correctly typed values - check if request.subject == owner and value of owner is - public key 0x69a8...18d2 (to the corresponding secret key 0x7d2a...207f) - check if request.object == resource and value of resource is - public key 0x9e03...7f25 - check if request.action == openDoor or request.action == startEngine and value of specific action is - string "openDoor", "startEngine" - enum act::openDoor, act::startEngine - grant-obligations for GrantIf are {log_event}, value of result is - string "log_event" - deny-obligations for GrantIf are {}, value of result is - string "" - composition of policy p with logical “and”s in the $\accesscontrolname{}$ language syntax:

GrantIf (
    Const Subj =*= Entity "owner" .&&.
    Const Obj  =*= Entity "resource" .&&.
    Const Act  =*= Entity "vehicle" <.> "openDoor"
) ["log_event"]

Compiled policy

  • normalized intermediate language representation of policy p with value
    • bytestring 0x84a9...c37d
  • two circuits compiled from the policy, namely policy_goc and policy_doc
  • two circuits compiled from the obligation, namely obligation_grant and obligation_deny

JSON code for circuits

// policy object for policy p
{
    // circuit GoC(p) for policy p
    "policy_goc": {
        "operation": "and",
        "attribute_list": [
            // 1st and-term: owner == request.subject
            {
                "operation": "eq",
                "attribute_list": [
                    {
                        "type": "Ed25519",
                        "value": "0x69a8...18d2"
                    },
                    {
                        "type": "request.subject.type",
                        "value": "request.subject.value"
                    }
                ]
            },
            
            // 2nd and-term: resource == request.object
            {
                "operation": "eq",
                "attribute_list": [
                    {
                        "type": "Ed25519",
                        "value": "0x9e03...7f25"
                    },
                    {
                        "type": "request.object.type",
                        "value": "request.object.value"
                    }
                ]
            },
            
            // 3rd and-term: openDoor == request.action
            {
                "operation": "eq",
                "attribute_list": [
                    {
                        "type": "Action",
                        "value": "act::openDoor"
                    },
                    {
                        "type": "request.action.type",
                        "value": "request.action.value"
                    }
                ]
            }
        // end of and
        ]
    },
    
    // circuit DoC(p) for policy p
    "policy_doc": {
        "type": "Boolean",
        "value": "false"
    },
    
    // circuit GObl(p) for policy p
    "obligation_grant": {
        "operation": "if",
        "attribute_list": [
            // if-condition: from grantif
            {
                "operation": "and",
                "attribute_list": [
                    // 1st and-term: owner == request.subject
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Ed25519",
                                "value": "0x69a8...18d2"
                            },
                            {
                                "type": "request.subject.type",
                                "value": "request.subject.value"
                            }
                        ]
                    },
                    
                    // 2nd and-term: resource == request.object
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Ed25519",
                                "value": "0x9e03...7f25"
                            },                        {
                                "type": "request.object.type",
                                "value": "request.object.value"
                            }
                        ]
                    },
                    
                    // 3rd and-term: openDoor == request.action
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Action",
                                "value": "act::openDoor"
                            },
                            {
                                "type": "request.action.type",
                                "value": "request.action.value"
                            }
                        ]
                    }
                // end of and
                ]
            },
            
            // if-statement: oblg list from grantif
            {
                "obligations": [
                    {
                        "type": "Obligation",
                        "value": "log_event"
                    }
                ]
            },
            
            // else-statement: empty oblg list
            {
                "obligations": [
                    {
                        "type": "Obligation",
                        "value": ""
                    }
                ]
            }
        // end of if
        ]
    }
    
    // circuit DObl(p) for policy p
    "obligation_deny": {
        // empty oblg list
        "obligations": [
            {
                "type": "Obligation",
                "value": ""
            }
        ]
    }
}


  • employing generalized policy objects with log obligation policy $o$ and empty obligation policy $e$ as in Generalized Policy Objects document:

JSON code for circuits with generalized policy objects

// generalized policy object for policy p
{
    // empty context for policy p
    "context": [],
    
    // circuit GoC(p) for policy p
    "policy_goc": {
        "operation": "and",
        "attribute_list": [
            // 1st and-term: owner == request.subject
            {
                "operation": "eq",
                "attribute_list": [
                    {
                        "type": "Ed25519",
                        "value": "0x69a8...18d2"
                    },
                    {
                        "type": "request.subject.type",
                        "value": "request.subject.value"
                    }
                ]
            },
            
            // 2nd and-term: resource == request.object
            {
                "operation": "eq",
                "attribute_list": [
                    {
                        "type": "Ed25519",
                        "value": "0x9e03...7f25"
                    },
                    {
                        "type": "request.object.type",
                        "value": "request.object.value"
                    }
                ]
            },
            
            // 3rd and-term: openDoor == request.action
            {
                "operation": "eq",
                "attribute_list": [
                    {
                        "type": "Action",
                        "value": "act::openDoor"
                    },
                    {
                        "type": "request.action.type",
                        "value": "request.action.value"
                    }
                ]
            }
        // end of and
        ]
    },
    
    // circuit DoC(p) for policy p
    "policy_doc": {
        "type": "Boolean",
        "value": "false"
    },
    
    // circuit GObl(p) for policy p
    "obligation_grant": {
        "operation": "if",
        "attribute_list": [
            // if-condition: from grantif
            {
                "operation": "and",
                "attribute_list": [
                    // 1st and-term: owner == request.subject
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Ed25519",
                                "value": "0x69a8...18d2"
                            },
                            {
                                "type": "request.subject.type",
                                "value": "request.subject.value"
                            }
                        ]
                    },
                    
                    // 2nd and-term: resource == request.object
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Ed25519",
                                "value": "0x9e03...7f25"
                            },                        {
                                "type": "request.object.type",
                                "value": "request.object.value"
                            }
                        ]
                    },
                    
                    // 3rd and-term: openDoor == request.action
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Action",
                                "value": "act::openDoor"
                            },
                            {
                                "type": "request.action.type",
                                "value": "request.action.value"
                            }
                        ]
                    }
                // end of and
                ]
            },
            
            // if-statement: obligation policy o from grantif
            {
                "obligations": [
                    // generalized policy object for obligation policy o
                    {
                        // context for obligation policy o
                        "context": [
                            {
                                "type": "ObligationName",
                                "value": "log_event"
                            },
                            {
                                "type": "ObligationType",
                                "value": "pre"
                            },
                            {
                                "type": "ObligationTarget",
                                "value": "resource"
                            }
                        ],
                        
                        // circuit GoC(o) for obligation policy o
                        "policy_goc": {
                            "operation": "and",
                            "attribute_list": [
                                // 1st and-term: isMember(entryID)
                                {
                                    "operation": "isMember",
                                    "attribute_list": [
                                        {
                                            "type": "resource.log.type",
                                            "value": "resource.log.value"
                                        },
                                        {
                                            "type": "String",
                                            "value": "entryID"
                                        }
                                    ]
                                },
                                
                                // 2nd and-term: currentTime <= requestTime+10s
                                {
                                    "operation": "lte",
                                    "attribute_list": [
                                        {
                                            "type": "Time",
                                            "value": "time.current"    
                                        },
                                        {
                                            "operation": "add",
                                            "attribute_list": [
                                                {
                                                    "type": "Time",
                                                    "value": "request.time"
                                                },
                                                {
                                                    "type": "Time",
                                                    "value": "10s"
                                                }
                                            ]
                                        }
                                    ]
                                }
                            // end of and
                            ]
                        },
                        
                        // circuit DoC(o) for obligation policy o
                        "policy_doc": {
                            // currentTime > requestTime+10s
                            "operation": "gt"
                            "attribute_list": [
                                {
                                    "type": "Time",
                                    "value": "time.current"
                                },
                                {
                                    "operation": "add",
                                    "attribute_list": [
                                        {
                                            "type": "Time",
                                            "value": "request.time"
                                        },
                                        {
                                            "type": "Time",
                                            "value": "10s"
                                        }
                                    ]
                                }
                            ]
                        },
                        
                        // empty circuit GObl(o) for obligation policy o
                        "obligation_grant": {},
                        
                        // empty circuit DObl(o) for obligation policy o
                        "obligation_deny": {}
                    }
                ]
            },
            
            // else-statement: obligation policy e
            {
                "obligations": [
                    // generalized policy object for obligation policy e
                    {
                        // context for obligation policy e
                        "context": [
                            {
                                "type": "ObligationName",
                                "value": "empty"
                            },
                            {
                                "type": "ObligationType",
                                "value": "pre"
                            },
                            {
                                "type": "ObligationTarget",
                                "value": "resource"
                            }
                        ],
                        
                        // circuit GoC(e) for oblgation policy e
                        "policy_goc": {
                            "type": "Boolean",
                            "value": "true"
                        },
                        
                        // circuit DoC(e) for obligation policy e
                        "policy_doc": {
                            "type": "Boolean",
                            "value": "false"
                        },
                        
                        // empty circuit GObl(e) for obligation policy e
                        "obligation_grant": {},
                        
                        // empty circuit DObl(e) for obligation policy e
                        "obligation_deny": {}
                    }
                ]
            }
        // end of if
        ]
    }
    
    // circuit DObl(p) for policy p
    "obligation_deny": {
        "obligations": [
            // generalized policy object for obligation policy e
            {
                // context for obligation policy e
                "context": [
                    {
                        "type": "ObligationName",
                        "value": "empty"
                    },
                    {
                        "type": "ObligationType",
                        "value": "pre"
                    },
                    {
                        "type": "ObligationTarget",
                        "value": "resource"
                    }
                ],
                
                // circuit GoC(e) for oblgation policy e
                "policy_goc": {
                    "type": "Boolean",
                    "value": "true"
                },
                
                // circuit DoC(e) for obligation policy e
                "policy_doc": {
                    "type": "Boolean",
                    "value": "false"
                },
                
                // empty circuit GObl(e) for obligation policy e
                "obligation_grant": {},
                
                // empty circuit DObl(e) for obligation policy e
                "obligation_deny": {}
            }
        ]
    }
}


BDDs for circuits

  • nodes labeled and ordered as x1: subj==owner < x2: obj=resource < x3: act==openDoor < x4: isMember(entryID) < x5: currentTime <= requestTime+10s
  • obligations labeled as o1: obligation policy o, o2: obligation policy e
  • edges are dashed for low branch and solid for high branch
  • BDD for policy_goc of p:

graph GoC {
    0 [shape=box]
    1 [shape=box]
    x1 -- 0 [style=dashed]
    x1 -- x2
    x2 -- 0 [style=dashed]
    x2 -- x3
    x3 -- 0 [style=dashed]
    x3 -- 1
}

  • BDD for policy_doc of p:

graph DoC {
    0 [shape=box]
}

  • BDD for obligation_grant of p:

graph GObl {
    o2 [shape=box]
    o1 [shape=box]
    x1 -- o2 [style=dashed]
    x1 -- x2
    x2 -- o2 [style=dashed]
    x2 -- x3
    x3 -- o2 [style=dashed]
    x3 -- o1
}

  • BDD for obligation_deny of p:

graph DObl {
    o2 [shape=box]
}

  • BDD for policy_goc of o:

graph GoC {
    0 [shape=box]
    1 [shape=box]
    x4 -- 0 [style=dashed]
    x4 -- x5
    x5 -- 0 [style=dashed]
    x5 -- 1
}

  • BDD for policy_doc of o:

graph DoC {
    1 [shape=box]
    0 [shape=box]
    x5 -- 1 [style=dashed]
    x5 -- 0
}

  • BDD for policy_goc of e:

graph GoC {
    1 [shape=box]
}

  • BDD for policy_doc of e:

graph DoC {
    0 [shape=box]
}

Policy store

// TODO: calculate hash for above compiled policy and a hash function; calculate signature over hash - compiled policy as above - policy ID polID as a hash of the compiled policy, value of polID is - bytestring 0x649e...68a1 - signature sig = sign(sk,polID) over polID, value of sig is - bytestring 0x83f1...62d7

Access request

// TODO: put values in access request structure; add more request values which will not grant - access request by presenting request values and proofs - request.subject = 0x69a8...18d2 public key of the owner - request.object = 0x9e03...7f25 public key of the resource - request.action = act::openDoor action to open the door

Decision

// TODO: add decisions for other requests - decision dec on access request by PDP, value of dec is - FOUR grant

Enforcement

// TODO: put execution in device specific language - calculate how result of obligations interact with decision, value of execution of request is - FOUR grant

EPIC 1: Remote and Offline Device Access - Case 7

  1. I as a user want to use an App to grant my friend access to my device and he can access that device either remotely or offline.
  • “user” referring to “my device” is the owner of the “device”; “my friend” referring to a subject who is not the owner; the friend is the subject of any request but that doesn’t restrict the owner to also be the subject of a request
  • “device” is the object of any request, this might be the car of the owner as in EPIC 1.4
  • actions might be “open the car” and “start the engine” as in EPIC 1.4
  • offline access request requires either policy to be stored on the resource or policy to be included in an access token
  • remote access request requires the resource and the subject to be online, therefore resource can retrieve policy from a remote policy store as well, but the policy could also be stored on the resource or be transmitted via an access token
  • necessary test data would be
    • policy which checks for some attribute values
    • compiled policy in intermediate language
    • owner’s signature over compiled policy (or some hash)
    • representation of compiled policy, either on the resource or remotely stored, and complemented with an unique identifier
    • access requests (directly or by access token) for specific actions on the object by the subject
    • decision on the access request
    • evaluation of obligations following that decision
    • enforced action as combination of decision and obligations

| Vector | Value | |:-|:-| | owner secret key | 0x7d2a...207f | | owner public key | 0x69a8...18d2 | | user secret key | 0x933e...0396 | | user public key | 0x82d9...64a1 | | resource public key | 0x9e03...7f25 | | device action | act::openDoor | | policy | GrantIf (
&emsp;&emsp;Const Subj =*= Entity "owner" <.> "friend" .&&.
&emsp;&emsp;Const Obj =*= Entity "resource" .&&.
&emsp;&emsp;Const Act =*= Entity "vehicle" <.> "openDoor"
) ["log_event"] | | obligation | grant {log_event} and deny {} | | compiled policy | 0x873c...625b | | policy ID | 0x692f...a062 | | owner signature
over policy ID | 0xf8e1...8841 | | access token | (...) | | request subject
(user pk) | 0x82d9...64a1 | | request object
(resource pk) | 0x9e03...7f25 | | request action
(device act) | act::openDoor | | decision | grant | | execution | grant |

Policy and associated obligations

// TODO: correctly typed values - check if request.subject == friend and value of friend is - public key 0x82d9...64a1 (to the corresponding secret key 0x933e...0396) - check if request.object == resource and value of resource is - public key 0x9e03...7f25 - check if request.action == openDoor or request.action == startEngine and value of specific action is - string "openDoor", "startEngine" - enum act::openDoor, act::startEngine - composition of policy p with logical “and”s in the core language syntax:

GrantIf (
    Const Subj =*= Entity "owner" <.> "friend" .&&.
    Const Obj  =*= Entity "resource" .&&.
    Const Act  =*= Entity "vehicle" <.> "openDoor"
) ["log_event"]
  • grant-obligations for GrantIf are {log_event}, value of result is
    • string "log_event"
  • deny-obligations for GrantIf are {}, value of result is
    • string ""

Compiled policy

  • normalized intermediate language representation of policy p with value
    • bytestring 0x873c...625b
  • two circuits compiled from the policy, namely policy_goc and policy_doc
  • two circuits compiled from the obligation, namely obligation_grant and obligation_deny

JSON code for circuits

// policy object for policy p
{
    // circuit GoC(p) for policy p
    "policy_goc": {
        "operation": "and",
        "attribute_list": [
            // 1st and-term: friend == request.subject
            {
                "operation": "eq",
                "attribute_list": [
                    {
                        "type": "Ed25519",
                        "value": "0x82d9...64a1"
                    },
                    {
                        "type": "request.subject.type",
                        "value": "request.subject.value"
                    }
                ]
            },
            
            // 2nd and-term: resource == request.object
            {
                "operation": "eq",
                "attribute_list": [
                    {
                        "type": "Ed25519",
                        "value": "0x9e03...7f25"
                    },
                    {
                        "type": "request.object.type",
                        "value": "request.object.value"
                    }
                ]
            },
            
            // 3rd and-term: openDoor == request.action
            {
                "operation": "eq",
                "attribute_list": [
                    {
                        "type": "Action",
                        "value": "act::openDoor"
                    },
                    {
                        "type": "request.action.type",
                        "value": "request.action.value"
                    }
                ]
            }
        // end of and
        ]
    },
    
    // circuit DoC(p) for policy p
    "policy_doc": {
        "type": "Boolean",
        "value": "false"
    },
    
    // circuit GObl(p) for policy p
    "obligation_grant": {
        "operation": "if",
        "attribute_list": [
            // if-condition: from grantif
            {
                "operation": "and",
                "attribute_list": [
                    // 1st and-term: friend == request.subject
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Ed25519",
                                "value": "0x82d9...64a1"
                            },
                            {
                                "type": "request.subject.type",
                                "value": "request.subject.value"
                            }
                        ]
                    },
                    
                    // 2nd and-term: resource == request.object
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Ed25519",
                                "value": "0x9e03...7f25"
                            },
                            {
                                "type": "request.object.type",
                                "value": "request.object.value"
                            }
                        ]
                    },
                    
                    // 3rd and-term: openDoor == request.action
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Action",
                                "value": "act::openDoor"
                            },
                            {
                                "type": "request.action.type",
                                "value": "request.action.value"
                            }
                        ]
                    }
                // end of and
                ]
            },
            
            // if-statement: oblg list from grantif
            {
                "obligations": [
                    {
                        "type": "Obligation",
                        "value": "log_event"
                    }
                ]
            },
            
            // else-statement: empty oblg list
            {
                "obligations": [
                    {
                        "type": "Obligation",
                        "value": ""
                    }
                ]
            }
        // end of if
        ]
    },
    
    // circuit DObl(p) for policy p
    "obligation_deny": {
        // emtpy oblg list
        "obligations": [
            {
                "type": "Obligation",
                "value": ""
            }
        ]
    }
}


  • employing generalized policy objects with log obligation policy $o$ and empty obligation policy $e$ as in Generalized Policy Objects document:

JSON code for circuits with generalized policy objects

// generalized policy object for policy p
{
    // empty context for policy p
    "context": [],
    
    // circuit GoC(p) for policy p
    "policy_goc": {
        "operation": "and",
        "attribute_list": [
            // 1st and-term: friend == request.subject
            {
                "operation": "eq",
                "attribute_list": [
                    {
                        "type": "Ed25519",
                        "value": "0x82d9...64a1"
                    },
                    {
                        "type": "request.subject.type",
                        "value": "request.subject.value"
                    }
                ]
            },
            
            // 2nd and-term: resource == request.object
            {
                "operation": "eq",
                "attribute_list": [
                    {
                        "type": "Ed25519",
                        "value": "0x9e03...7f25"
                    },
                    {
                        "type": "request.object.type",
                        "value": "request.object.value"
                    }
                ]
            },
            
            // 3rd and-term: openDoor == request.action
            {
                "operation": "eq",
                "attribute_list": [
                    {
                        "type": "Action",
                        "value": "act::openDoor"
                    },
                    {
                        "type": "request.action.type",
                        "value": "request.action.value"
                    }
                ]
            }
        // end of and
        ]
    },
    
    // circuit DoC(p) for policy p
    "policy_doc": {
        "type": "Boolean",
        "value": "false"
    },
    
    // circuit GObl(p) for policy p
    "obligation_grant": {
        "operation": "if",
        "attribute_list": [
            // if-condition: from grantif
            {
                "operation": "and",
                "attribute_list": [
                    // 1st and-term: friend == request.subject
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Ed25519",
                                "value": "0x82d9...64a1"
                            },
                            {
                                "type": "request.subject.type",
                                "value": "request.subject.value"
                            }
                        ]
                    },
                    
                    // 2nd and-term: resource == request.object
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Ed25519",
                                "value": "0x9e03...7f25"
                            },
                            {
                                "type": "request.object.type",
                                "value": "request.object.value"
                            }
                        ]
                    },
                    
                    // 3rd and-term: openDoor == request.action
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Action",
                                "value": "act::openDoor"
                            },
                            {
                                "type": "request.action.type",
                                "value": "request.action.value"
                            }
                        ]
                    }
                // end of and
                ]
            },
            
            // if-statement: obligation policy o from grantif
            {
                "obligations": [
                    // generalized policy object for obligation policy o
                    {
                        // context for obligation policy o
                        "context": [
                            {
                                "type": "ObligationName",
                                "value": "log_event"
                            },
                            {
                                "type": "ObligationType",
                                "value": "pre"
                            },
                            {
                                "type": "ObligationTarget",
                                "value": "resource"
                            }
                        ],
                        
                        // circuit GoC(o) for obligation policy o
                        "policy_goc": {
                            "operation": "and",
                            "attribute_list": [
                                // 1st and-term: isMember(entryID)
                                {
                                    "operation": "isMember",
                                    "attribute_list": [
                                        {
                                            "type": "resource.log.type",
                                            "value": "resource.log.value"
                                        },
                                        {
                                            "type": "String",
                                            "value": "entryID"
                                        }
                                    ]
                                },
                                
                                // 2nd and-term: currentTime <= requestTime+10s
                                {
                                    "operation": "lte",
                                    "attribute_list": [
                                        {
                                            "type": "Time",
                                            "value": "time.current"    
                                        },
                                        {
                                            "operation": "add",
                                            "attribute_list": [
                                                {
                                                    "type": "Time",
                                                    "value": "request.time"
                                                },
                                                {
                                                    "type": "Time",
                                                    "value": "10s"
                                                }
                                            ]
                                        }
                                    ]
                                }
                            // end of and
                            ]
                        },
                        
                        // circuit DoC(o) for obligation policy o
                        "policy_doc": {
                            // currentTime > requestTime+10s
                            "operation": "gt"
                            "attribute_list": [
                                {
                                    "type": "Time",
                                    "value": "time.current"
                                },
                                {
                                    "operation": "add",
                                    "attribute_list": [
                                        {
                                            "type": "Time",
                                            "value": "request.time"
                                        },
                                        {
                                            "type": "Time",
                                            "value": "10s"
                                        }
                                    ]
                                }
                            ]
                        },
                        
                        // empty circuit GObl(o) for obligation policy o
                        "obligation_grant": {},
                        
                        // empty circuit DObl(o) for obligation policy o
                        "obligation_deny": {}
                    }
                ]
            },
            
            // else-statement: obligation policy e
            {
                "obligations": [
                    // generalized policy object for obligation policy e
                    {
                        // context for obligation policy e
                        "context": [
                            {
                                "type": "ObligationName",
                                "value": "empty"
                            },
                            {
                                "type": "ObligationType",
                                "value": "pre"
                            },
                            {
                                "type": "ObligationTarget",
                                "value": "resource"
                            }
                        ],
                        
                        // circuit GoC(e) for oblgation policy e
                        "policy_goc": {
                            "type": "Boolean",
                            "value": "true"
                        },
                        
                        // circuit DoC(e) for obligation policy e
                        "policy_doc": {
                            "type": "Boolean",
                            "value": "false"
                        },
                        
                        // empty circuit GObl(e) for obligation policy e
                        "obligation_grant": {},
                        
                        // empty circuit DObl(e) for obligation policy e
                        "obligation_deny": {}
                    }
                ]
            }
        // end of if
        ]
    },
    
    // circuit DObl(p) for policy p
    "obligation_deny": {
        "obligations": [
            // generalized policy object for obligation policy e
            {
                // context for obligation policy e
                "context": [
                    {
                        "type": "ObligationName",
                        "value": "empty"
                    },
                    {
                        "type": "ObligationType",
                        "value": "pre"
                    },
                    {
                        "type": "ObligationTarget",
                        "value": "resource"
                    }
                ],
                
                // circuit GoC(e) for oblgation policy e
                "policy_goc": {
                    "type": "Boolean",
                    "value": "true"
                },
                
                // circuit DoC(e) for obligation policy e
                "policy_doc": {
                    "type": "Boolean",
                    "value": "false"
                },
                
                // empty circuit GObl(e) for obligation policy e
                "obligation_grant": {},
                
                // empty circuit DObl(e) for obligation policy e
                "obligation_deny": {}
            }
        ]
    }
}


BDDs for circuits

  • nodes labeled and ordered as x1: subj==owner.friend < x2: obj=resource < x3: act==openDoor < x4: isMember(entryID) < x5: currentTime <= requestTime+10s
  • obligations labeled as o1: obligation policy o, o2: obligation policy e
  • edges are dashed for low branch and solid for high branch
  • BDD for policy_goc of p:

graph GoC {
    0 [shape=box]
    1 [shape=box]
    x1 -- 0 [style=dashed]
    x1 -- x2
    x2 -- 0 [style=dashed]
    x2 -- x3
    x3 -- 0 [style=dashed]
    x3 -- 1
}

  • BDD for policy_doc of p:

graph DoC {
    0 [shape=box]
}

  • BDD for obligation_grant of p:

graph GObl {
    o2 [shape=box]
    o1 [shape=box]
    x1 -- o2 [style=dashed]
    x1 -- x2
    x2 -- o2 [style=dashed]
    x2 -- x3
    x3 -- o2 [style=dashed]
    x3 -- o1
}

  • BDD for obligation_deny of p:

graph DObl {
    o2 [shape=box]
}

  • BDD for policy_goc of o:

graph GoC {
    0 [shape=box]
    1 [shape=box]
    x4 -- 0 [style=dashed]
    x4 -- x5
    x5 -- 0 [style=dashed]
    x5 -- 1
}

  • BDD for policy_doc of o:

graph DoC {
    1 [shape=box]
    0 [shape=box]
    x5 -- 1 [style=dashed]
    x5 -- 0
}

  • BDD for policy_goc of e:

graph GoC {
    1 [shape=box]
}

  • BDD for policy_doc of e:

graph DoC {
    0 [shape=box]
}

Policy store

// TODO: calculate hash for above compiled policy and a hash function; calculate signature over hash - compiled policy as above - policy ID polID as a hash of the compiled policy, value of polID is - bytestring 0x692f...a062 - signature sig = sign(sk,polID) of the owner over polID, value of sig is - bytestring 0xf8e1...8841

Access token

// TODO: put values in access token structure - compiled policy, policy ID polID and signature sig as for the policy store - access token tok = (...)

Access request

// TODO: put values or token in access request structure; add more request values which will not grant - access request by presenting request values and proofs - request.subject = 0x82d9...64a1 public key of the friend - request.object = 0x9e03...7f25 public key of the resource - request.action = act::openDoor action to open the door - access request by presenting access token tok

Decision

// TODO: add decisions for other requests - decision dec on access request by PDP, value of dec is - FOUR grant

Enforcement

// TODO: put execution in device specific language - calculate how result of obligations interact with decision, value of execution of request is - FOUR grant

EPIC 5: Third Party Integrations (in example of a car) - Case 1

  1. I as a user want to grant access to another user that belongs to a company (e.g. DHL or a shop sales person) to see where e.g. my car is located and to e.g. open/close the trunk with NFC or BLE only for a specific timeframe
  • “user” referring to “my car” is the owner; “another user that belongs to a company” referring to a subject who is not the owner; another user is the subject of any request but that doesn’t restrict the owner to also be the subject of a request
  • “car” is the object of any request
  • actions might be “get location of car” and “open trunk of car”
  • offline access request requires either policy to be stored on the resource or policy to be included in an access token (physical communication is realized by NFC or BLE)
  • remote access request requires the resource and the subject to be online, therefore resource can retrieve policy from a remote policy store as well, but the policy could also be stored on the resource or be transmitted via an access token
  • “specific timeframe” referring to additional conditions to be fulfilled
  • necessary test data would be
    • policy which checks for some attribute values
    • compiled policy in intermediate language
    • owner’s signature over compiled policy (or some hash)
    • representation of compiled policy, either on the resource or remotely stored, and complemented with an unique identifier
    • access requests (directly or by access token) for specific actions on the object by the subject
    • decision on the access request
    • evaluation of obligations following that decision
    • enforced action as combination of decision and obligations

| Vector | Value | |:-|:-| | owner secret key | 0x7d2a...207f | | owner public key | 0x69a8...18d2 | | user secret key | 0xe629...28c7 | | user public key | 0x7d20...82ac | | resource public key | 0x9e03...7f25 | | device action | act::getLocation or act::openTrunk | | device access time | 20180705110000 to 20180705130000 | | policy | p = GrantIf (
&emsp;&emsp;Subj =*= "UserDHL" .&&.
&emsp;&emsp;Obj =*= "resource" .&&.
&emsp;&emsp;(
&emsp;&emsp;&emsp;&emsp;Act =*= "getLocation" .||.
&emsp;&emsp;&emsp;&emsp;Act =*= "openTrunk" .&&.
&emsp;&emsp;&emsp;&emsp;InRange(20180705110000,
&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;"currentTime",
&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;20180705130000)
&emsp;&emsp;)
) ["log_event"]

q = Case
&emsp;&emsp;[(p `Eval` Grant, p)]
&emsp;&emsp;(Truth, Deny) | | obligation | grant {log_event} and deny {} | | compiled policy | 0x18f3...ba71 | | policy ID | 83a2...9b49 | | owner signature
over policy ID | 0xd721...c8f3 | | access token | (...) | | request subject
(user pk) | 0x7d20...82ac | | request object
(resource pk) | 0x9e03...7f25 | | request action
(device act) | act::getLocation or act::openTrunk | | decision | grant | | execution | grant |

Policy

// TODO: correctly typed values - check if request.subject == userDHL and value of userDHL is - public key 0x7d20...82ac (to the corresponding secret key 0xe629...28c7) - check if request.object == resource and value of resource is - public key 0x9e03...7f25 - check cases of actions - request.action == getLocation where the value is string "getLocation" or enum act::getLocation - request.action == openTrunk where the value is string "openTrunk" or enum act::openTrunk - check time conditions request.context.currentTime >= startTime and request.context.currentTime <= endTime with integer values in YYYYMMDDhhmmss format (Y year, M month, D day, h hour, m minute, s second) - integer 20180705110000 for start - integer 20180705130000 for end - grant-obligations for GrantIf are {log_event}, value of result is - string "log_event" - deny-obligations for GrantIf are {}, value of result is - string "" - composition of policy q with “cases” of policy p; composition of policy p with logical “and”s and “or”s

p = GrantIf (
        Subj =*= "UserDHL"  .&&.
        Obj  =*= "resource" .&&.
        (
            Act =*= "getLocation" .||. 
            Act =*= "openTrunk" .&&.
            InRange(20180705110000,
                    "currentTime",
                    20180705130000)
        )
    ) ["log_event"]

q = Case
    [(p `Eval` Grant, p)]
    (Truth, Deny)

For sake of clarity I’m being a bit loose with my own high-level syntax, but I think you get the idea. I’m assuming some ternary relation InRange but of course we could just as well use >= and <=. To further express the deny-by-default, we can wrap this in a Case. [name=Kwok]

  • obligations for policy p: grant-obligation {log_event} for GrantIf with value string "log_event"; deny-obligation {} with value string ""
  • obligations for policy q: no explicit non-empty obligations, but implicitly contained in guards and policies of the case arms where policy p shows up

Compiled policy

  • normalized intermediate language representation of policy p with value
    • bytestring 0x18f3...ba71
  • two circuits compiled from the policy, namely policy_goc and policy_doc
  • two circuits compiled from the obligation, namely obligation_grant and obligation_deny

JSON code for simplified circuits

// policy object for policy q
{
    // circuit GoC(q) for policy q
    "policy_goc": {
        "operation": "and",
        "attribute_list": [
            // 1st and-term: userDHL == request.subject
            {
                "operation": "eq",
                "attribute_list": [
                    {
                        "type": "Ed25519",
                        "value": "0x69a8...18d2"
                    },
                    {
                        "type": "request.subject.type",
                        "value": "request.subject.value"
                    }
                ]
            },
            
            // 2nd and-term: resource == request.object
            {
                "operation": "eq",
                "attribute_list": [
                    {
                        "type": "Ed25519",
                        "value": "0x9e03...7f25"
                    },  
                    {
                        "type": "request.object.type",
                        "value": "request.object.value"
                    }
                ]
            },
            
            // 3rd and-term
            {
                "operation": "or",
                "attribute_list": [
                    // 1st or-term: getLocation == request.action
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Action",
                                "value": "act::getLocation"
                            },
                            {
                                "type": "request.action.type",
                                "value": "request.action.value"
                            }
                        ]
                    },
                    
                    // 2nd or-term
                    {
                        "operation": "and",
                        "attribute_list": [
                            // 1st and-term: openTrunk == request.action
                            {
                                "operation": "eq",
                                "attribute_list": [
                                    {
                                        "type": "Action",
                                        "value": "act::openTrunk"
                                    },
                                    {
                                        "type": "request.action.type",
                                        "value": "request.action.value"
                                    }
                                ]
                            },
                            
                            // 2nd and-term: startTime <= currentTime <= endTime
                            {
                                "operation": "InRange",
                                "attribute_list": [
                                    {
                                        "type": "DateTime",
                                        "value": "20180705110000"
                                    },
                                    {
                                        "type": "request.context.currentTime.type",
                                        "value": "request.context.currentTime.value"
                                    },
                                    {
                                        "type": "DateTime",
                                        "value": "20180705130000"
                                    }
                                ]
                            }
                        // end of and
                        ]
                    }
                // end of or
                ]
            }
        // end of and
        ]
    },
    
    // circuit DoC(q) for policy q
    "policy_doc": {
        "operation": "not",
        "attribute_list": [
            {
                "operation": "and",
                "attribute_list": [
                    // 1st and-term: userDHL == request.subject
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Ed25519",
                                "value": "0x69a8...18d2"
                            },
                            {
                                "type": "request.subject.type",
                                "value": "request.subject.value"
                            }
                        ]
                    },
                    
                    // 2nd and-term: resource == request.object
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Ed25519",
                                "value": "0x9e03...7f25"
                            },
                            {
                                "type": "request.object.type",
                                "value": "request.object.value"
                            }
                        ]
                    },
                    
                    // 3rd and-term
                    {
                        "operation": "or",
                        "attribute_list": [
                            // 1st or-term: getLocation == request.action
                            {
                                "operation": "eq",
                                "attribute_list": [
                                    {
                                        "type": "Action",
                                        "value": "act::getLocation"
                                    },
                                    {
                                        "type": "request.action.type",
                                        "value": "request.action.value"
                                    }
                                ]
                            },
                            
                            // 2nd or-term
                            {
                                "operation": "and",
                                "attribute_list": [
                                    // 1st and-term: openTrunk == request.action
                                    {
                                        "operation": "eq",
                                        "attribute_list": [
                                            {
                                                "type": "Action",
                                                "value": "act::openTrunk"
                                            },
                                            {
                                                "type": "request.action.type",
                                                "value": "request.action.value"
                                            }
                                        ]
                                    },
                                    
                                    // 2nd and-term: startTime <= currentTime <= endTime
                                    {
                                        "operation": "InRange",
                                        "attribute_list": [
                                            {
                                                "type": "DateTime",
                                                "value": "20180705110000"
                                            },
                                            {
                                                "type": "request.context.currentTime.type",
                                                "value": "request.context.currentTime.value"
                                            },
                                            {
                                                "type": "DateTime",
                                                "value": "20180705130000"
                                            }
                                        ]
                                    }
                                // end of and
                                ]
                            }
                        // end of or
                        ]
                    }
                // end of and
                ]
            }
        // end of not
        ]
    },
    
    // circuit GObl(q) for policy q
    "obligation_grant": {
        "operation": "if",
        "attribute_list": [
            // if-condition: from grantif
            {
                "operation": "and",
                "attribute_list": [
                    // 1st and-term: userDHL == request_subject
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Ed25519",
                                "value": "0x69a8...18d2"
                            },
                            {
                                "type": "request.subject.type",
                                "value": "request.subject.value"
                            }
                        ]
                    },
                    
                    // 2nd and-term: resource == request.object
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Ed25519",
                                "value": "0x9e03...7f25"
                            },  
                            {
                                "type": "request.object.type",
                                "value": "request.object.value"
                            }
                        ]
                    },
                    
                    // 3rd and-term
                    {
                        "operation": "or",
                        "attribute_list": [
                            // 1st or-term: getLocation = request.action
                            {
                                "operation": "eq",
                                "attribute_list": [
                                    {
                                        "type": "Action",
                                        "value": "act::getLocation"
                                    },
                                    {
                                        "type": "request.action.type",
                                        "value": "request.action.value"
                                    }
                                ]
                            },
                            
                            // 2nd or-term
                            {
                                "operation": "and",
                                "attribute_list": [
                                    // 1st and-term: openTrunk == request.action
                                    {
                                        "operation": "eq",
                                        "attribute_list": [
                                            {
                                                "type": "Action",
                                                "value": "act::openTrunk"
                                            },
                                            {
                                                "type": "request.action.type",
                                                "value": "request.action.value"
                                                }
                                        ]
                                    },
                                    
                                    // 2nd and-term: startTime <= currentTime <= endTime
                                    {
                                        "operation": "InRange",
                                        "attribute_list": [
                                            {
                                                "type": "DateTime",
                                                "value": "20180705110000"
                                            },
                                            {
                                                "type": "request.context.currentTime.type",
                                                "value": "request.context.currentTime.value"
                                            },
                                            {
                                                "type": "DateTime",
                                                "value": "20180705130000"
                                            }
                                        ]
                                    }
                                // end of and
                                ]
                            }
                        // end of or
                        ]
                    }
                // end of and
                ]
            },
            
            // if-statement: oblg list from grantif
            {
                "obligations": [
                    {
                        "type": "Obligation",
                        "value": "log_event"
                    }
                ]
     
            }
            
            // else-statement: empty oblg list
            {
                "obligations": [
                    {
                        "type": "Obligation",
                        "value": ""
                    }
                ]
            }
        // end of if
        ]
    },
    
    // circuit DObl(q) for policy q
    "obligation_deny": {
        // empty oblg list
        "obligations": [
            {
                "type": "Obligation",
                "value": ""
            }
        ]
    }
}


JSON code for non-simplified circuits

// policy object for policy q
{
    // circuit GoC(q) for policy q
    "policy_goc": {
        // (GoC(p) && not DoC(p) && GoC(p)) || ((not GoC(p) || DoC(p)) && true && GoC(deny))
        "operation": "or",
        "attribute_list": [
            // 1st or-term: GoC(p) && not DoC(p) && GoC(p)
            {
                "operation": "and",
                "attribute_list": [
                    // 1st and-term: GoC(p)
                    {
                        "operation": "and",
                        "attribute_list": [
                            // 1st and-term: userDHL == request.subject
                            {
                                "operation": "eq",
                                "attribute_list": [
                                    {
                                        "type": "Ed25519",
                                        "value": "0x69a8...18d2"
                                    },
                                    {
                                        "type": "request.subject.type",
                                        "value": "request.subject.value"
                                    }
                                ]
                            },
                            
                            // 2nd and-term: resource == request.object
                            {
                                "operation": "eq",
                                "attribute_list": [
                                    {
                                        "type": "Ed25519",
                                        "value": "0x9e03...7f25"
                                    },  
                                    {
                                        "type": "request.object.type",
                                        "value": "request.object.value"
                                    }
                                ]
                            },
                            
                            // 3rd and-term
                            {
                                "operation": "or",
                                "attribute_list": [
                                    // 1st or-term: getLocation == request.action
                                    {
                                        "operation": "eq",
                                        "attribute_list": [
                                            {
                                                "type": "Action",
                                                "value": "act::getLocation"
                                            },
                                            {
                                                "type": "request.action.type",
                                                "value": "request.action.value"
                                            }
                                        ]
                                    },
                                    
                                    // 2nd or-term
                                    {
                                        "operation": "and",
                                        "attribute_list": [
                                            // 1st and-term: openTrunk == request.action
                                            {
                                                "operation": "eq",
                                                "attribute_list": [
                                                    {
                                                        "type": "Action",
                                                        "value": "act::openTrunk"
                                                    },
                                                    {
                                                        "type": "request.action.type",
                                                        "value": "request.action.value"
                                                    }
                                                ]
                                            },
                                            
                                            // 2nd and-term: startTime <= currentTime <= endTime
                                            {
                                                "operation": "InRange",
                                                "attribute_list": [
                                                    {
                                                        "type": "DateTime",
                                                        "value": "20180705110000"
                                                    },
                                                    {
                                                        "type": "request.context.currentTime.type",
                                                        "value": "request.context.currentTime.value"
                                                    },
                                                    {
                                                        "type": "DateTime",
                                                        "value": "20180705130000"
                                                    }
                                                ]
                                            }
                                        // end of and
                                        ]
                                    }
                                // end of or
                                ]
                            }
                        // end of and
                        ]
                    },
                    
                    // 2nd and-term: not DoC(p)
                    {
                        "operation": "not",
                        "attribute_list": [
                            {
                                "type": "Boolean",
                                "value": "false"
                            }
                        ]
                    },
                    
                    // 3rd and-term: GoC(p)
                    {
                        "operation": "and",
                        "attribute_list": [
                            // 1st and-term: userDHL == request.subject
                            {
                                "operation": "eq",
                                "attribute_list": [
                                    {
                                        "type": "Ed25519",
                                        "value": "0x69a8...18d2"
                                    },
                                    {
                                        "type": "request.subject.type",
                                        "value": "request.subject.value"
                                    }
                                ]
                            },
                            
                            // 2nd and-term: resource == request.object
                            {
                                "operation": "eq",
                                "attribute_list": [
                                    {
                                        "type": "Ed25519",
                                        "value": "0x9e03...7f25"
                                    },  
                                    {
                                        "type": "request.object.type",
                                        "value": "request.object.value"
                                    }
                                ]
                            },
                            
                            // 3rd and-term
                            {
                                "operation": "or",
                                "attribute_list": [
                                    // 1st or-term: getLocation == request.action
                                    {
                                        "operation": "eq",
                                        "attribute_list": [
                                            {
                                                "type": "Action",
                                                "value": "act::getLocation"
                                            },
                                            {
                                                "type": "request.action.type",
                                                "value": "request.action.value"
                                            }
                                        ]
                                    },
                                    
                                    // 2nd or-term
                                    {
                                        "operation": "and",
                                        "attribute_list": [
                                            // 1st and-term: openTrunk == request.action
                                            {
                                                "operation": "eq",
                                                "attribute_list": [
                                                    {
                                                        "type": "Action",
                                                        "value": "act::openTrunk"
                                                    },
                                                    {
                                                        "type": "request.action.type",
                                                        "value": "request.action.value"
                                                    }
                                                ]
                                            },
                                            
                                            // 2nd and-term: startTime <= currentTime <= endTime
                                            {
                                                "operation": "InRange",
                                                "attribute_list": [
                                                    {
                                                        "type": "DateTime",
                                                        "value": "20180705110000"
                                                    },
                                                    {
                                                        "type": "request.context.currentTime.type",
                                                        "value": "request.context.currentTime.value"
                                                    },
                                                    {
                                                        "type": "DateTime",
                                                        "value": "20180705130000"
                                                    }
                                                ]
                                            }
                                        // end of and
                                        ]
                                    }
                                // end of or
                                ]
                            }
                        // end of and
                        ]
                    }
                // end of and
                ]
            },
            
            // 2nd or-term: (not GoC(p) || DoC(p)) && true && GoC(deny)
            {
                "operation": "and",
                "attribute_list": [
                    // 1st and-term: not GoC(p) || DoC(p)
                    {
                        "operation": "or",
                        "attribute_list": [
                            // 1st or-term: not GoC(p)
                            {
                                "operation": "not",
                                "attribute_list": [
                                    {
                                        "operation": "and",
                                        "attribute_list": [
                                            // 1st and-term: userDHL == request.subject
                                            {
                                                "operation": "eq",
                                                "attribute_list": [
                                                    {
                                                        "type": "Ed25519",
                                                        "value": "0x69a8...18d2"
                                                    },
                                                    {
                                                        "type": "request.subject.type",
                                                        "value": "request.subject.value"
                                                    }
                                                ]
                                            },
                                            
                                            // 2nd and-term: resource == request.object
                                            {
                                                "operation": "eq",
                                                "attribute_list": [
                                                    {
                                                        "type": "Ed25519",
                                                        "value": "0x9e03...7f25"
                                                    },
                                                    {
                                                        "type": "request.object.type",
                                                        "value": "request.object.value"
                                                    }
                                                ]
                                            },
                                            
                                            // 3rd and-term
                                            {
                                                "operation": "or",
                                                "attribute_list": [
                                                    // 1st or-term: getLocation == request.action
                                                    {
                                                        "operation": "eq",
                                                        "attribute_list": [
                                                            {
                                                                "type": "Action",
                                                                "value": "act::getLocation"
                                                            },
                                                            {
                                                                "type": "request.action.type",
                                                                "value": "request.action.value"
                                                            }
                                                        ]
                                                    },
                                                    
                                                    // 2nd or-term
                                                    {
                                                        "operation": "and",
                                                        "attribute_list": [
                                                            // 1st and-term: openTrunk == request.action
                                                            {
                                                                "operation": "eq",
                                                                "attribute_list": [
                                                                    {
                                                                        "type": "Action",
                                                                        "value": "act::openTrunk"
                                                                    },
                                                                    {
                                                                        "type": "request.action.type",
                                                                        "value": "request.action.value"
                                                                    }
                                                                ]
                                                            },
                                                            
                                                            // 2nd and-term: startTime <= currentTime <= endTime
                                                            {
                                                                "operation": "InRange",
                                                                "attribute_list": [
                                                                    {
                                                                        "type": "DateTime",
                                                                        "value": "20180705110000"
                                                                    },
                                                                    {
                                                                        "type": "request.context.currentTime.type",
                                                                        "value": "request.context.currentTime.value"
                                                                    },
                                                                    {
                                                                        "type": "DateTime",
                                                                        "value": "20180705130000"
                                                                    }
                                                                ]
                                                            }
                                                        // end of and
                                                        ]
                                                    }
                                                // end of or
                                                ]
                                            }
                                        // end of and
                                        ]
                                    }
                                // end of not
                                ]
                            },
                            
                            // 2nd or-term: DoC(p)
                            {
                                "type": "Boolean",
                                "value": "false"
                            }
                        // end of or
                        ]
                    },
                    
                    // 2nd and-term: true
                    {
                        "type": "Boolean",
                        "value": "true"
                    },
                    
                    // 3rd and-term: GoC(deny)
                    {
                        "type": "Boolean",
                        "value": "false"
                    }
                // end of and
                ]
            }
        // end of or
        ]
    },
    
    // circuit DoC(q) for policy q
    "policy_doc": {
        // (GoC(p) && not DoC(p) && DoC(p)) || ((not GoC(p) || DoC(p)) && true && DoC(deny))
        "operation": "or",
        "attribute_list": [
            // 1st or-term: GoC(p) && not DoC(p) && DoC(p)
            {
                "operation": "and",
                "attribute_list": [
                    // 1st and-term: GoC(p)
                    {
                        "operation": "and",
                        "attribute_list": [
                            // 1st and-term: userDHL == request.subject
                            {
                                "operation": "eq",
                                "attribute_list": [
                                    {
                                        "type": "Ed25519",
                                        "value": "0x69a8...18d2"
                                    },
                                    {
                                        "type": "request.subject.type",
                                        "value": "request.subject.value"
                                    }
                                ]
                            },
                            
                            // 2nd and-term: resource == request.object
                            {
                                "operation": "eq",
                                "attribute_list": [
                                    {
                                        "type": "Ed25519",
                                        "value": "0x9e03...7f25"
                                    },  
                                    {
                                        "type": "request.object.type",
                                        "value": "request.object.value"
                                    }
                                ]
                            },
                            
                            // 3rd and-term
                            {
                                "operation": "or",
                                "attribute_list": [
                                    // 1st or-term: getLocation == request.action
                                    {
                                        "operation": "eq",
                                        "attribute_list": [
                                            {
                                                "type": "Action",
                                                "value": "act::getLocation"
                                            },
                                            {
                                                "type": "request.action.type",
                                                "value": "request.action.value"
                                            }
                                        ]
                                    },
                                    
                                    // 2nd or-term
                                    {
                                        "operation": "and",
                                        "attribute_list": [
                                            // 1st and-term: openTrunk == request.action
                                            {
                                                "operation": "eq",
                                                "attribute_list": [
                                                    {
                                                        "type": "Action",
                                                        "value": "act::openTrunk"
                                                    },
                                                    {
                                                        "type": "request.action.type",
                                                        "value": "request.action.value"
                                                        }
                                                ]
                                            },
                                            
                                            // 2nd and-term: startTime <= currentTime <= endTime
                                            {
                                                "operation": "InRange",
                                                "attribute_list": [
                                                    {
                                                        "type": "DateTime",
                                                        "value": "20180705110000"
                                                    },
                                                    {
                                                        "type": "request.context.currentTime.type",
                                                        "value": "request.context.currentTime.value"
                                                    },
                                                    {
                                                        "type": "DateTime",
                                                        "value": "20180705130000"
                                                    }
                                                ]
                                            }
                                        // end of and
                                        ]
                                    }
                                // end of or
                                ]
                            }
                        // end of and
                        ]
                    },
                    
                    // 2nd and-term: not DoC(p)
                    {
                        "operation": "not",
                        "attribute_list": [
                            {
                                "type": "Boolean",
                                "value": "false"
                            }
                        ]
                    },
                    
                    // 3rd and-term: DoC(p)
                    {
                        "type": "Boolean",
                        "value": "false"
                    }
                // end of and
                ]
            },
            
            // 2nd or-term: (not GoC(p) || DoC(p)) && true && DoC(deny)
            {
                "operation": "and",
                "attribute_list": [
                    // 1st and-term: not GoC(p) || DoC(p)
                    {
                        "operation": "or",
                        "attribute_list": [
                            // 1st or-term: not GoC(p)
                            {
                                "operation": "not",
                                "attribute_list": [
                                    {
                                        "operation": "and",
                                        "attribute_list": [
                                            // 1st and-term: userDHL == request.subject
                                            {
                                                "operation": "eq",
                                                "attribute_list": [
                                                    {
                                                        "type": "Ed25519",
                                                        "value": "0x69a8...18d2"
                                                    },
                                                    {
                                                        "type": "request.subject.type",
                                                        "value": "request.subject.value"
                                                    }
                                                ]
                                            },
                                            
                                            // 2nd and-term: resource == request.object
                                            {
                                                "operation": "eq",
                                                "attribute_list": [
                                                    {
                                                        "type": "Ed25519",
                                                        "value": "0x9e03...7f25"
                                                    },
                                                    {
                                                        "type": "request.object.type",
                                                        "value": "request.object.value"
                                                    }
                                                ]
                                            },
                                            
                                            // 3rd and-term
                                            {
                                                "operation": "or",
                                                "attribute_list": [
                                                    // 1st or-term: getLocation == request.action
                                                    {
                                                        "operation": "eq",
                                                        "attribute_list": [
                                                            {
                                                                "type": "Action",
                                                                "value": "act::getLocation"
                                                            },
                                                            {
                                                                "type": "request.action.type",
                                                                "value": "request.action.value"
                                                            }
                                                        ]
                                                    },
                                                    
                                                    // 2nd or-term
                                                    {
                                                        "operation": "and",
                                                        "attribute_list": [
                                                            // 1st and-term: openTrunk == request.action
                                                            {
                                                                "operation": "eq",
                                                                "attribute_list": [
                                                                    {
                                                                        "type": "Action",
                                                                        "value": "act::openTrunk"
                                                                    },
                                                                    {
                                                                        "type": "request.action.type",
                                                                        "value": "request.action.value"
                                                                    }
                                                                ]
                                                            },
                                                            
                                                            // 2nd and-term: startTime <= currentTime <= endTime
                                                            {
                                                                "operation": "InRange",
                                                                "attribute_list": [
                                                                    {
                                                                        "type": "DateTime",
                                                                        "value": "20180705110000"
                                                                    },
                                                                    {
                                                                        "type": "request.context.currentTime.type",
                                                                        "value": "request.context.currentTime.value"
                                                                    },
                                                                    {
                                                                        "type": "DateTime",
                                                                        "value": "20180705130000"
                                                                    }
                                                                ]
                                                            }
                                                        // end of and
                                                        ]
                                                    }
                                                // end of or
                                                ]
                                            }
                                        // end of and
                                        ]
                                    }
                                // end of not
                                ]
                            },
                            
                            // 2nd or-term: DoC(p)
                            {
                                "type": "Boolean",
                                "value": "false"
                            }
                        // end of or
                        ]
                    },
                    
                    // 2nd and-term: true
                    {
                        "type": "Boolean",
                        "value": "true"
                    },
                    
                    // 3rd and-term: DoC(deny)
                    {
                        "type": "Boolean",
                        "value": "true"
                    }
                // end of and
                ]
            }
        // end of or
        ]
    },
    
    // circuit GObl(q) for policy q
    "obligation_grant": {
        "operation": "case",
        "attribute_list": [
            // 1st case-condition: p eval grant
            {
                "operation": "and",
                "attribute_list": [
                    // 1st and-term: GoC(p)
                    {
                        "operation": "and",
                        "attribute_list": [
                            // 1st and-term: userDHL == request.subject
                            {
                                "operation": "eq",
                                "attribute_list": [
                                    {
                                        "type": "Ed25519",
                                        "value": "0x69a8...18d2"
                                    },
                                    {
                                        "type": "request.subject.type",
                                        "value": "request.subject.value"
                                    }
                                ]
                            },
                            
                            // 2nd and-term: resource == request.object
                            {
                                "operation": "eq",
                                "attribute_list": [
                                    {
                                        "type": "Ed25519",
                                        "value": "0x9e03...7f25"
                                    },  
                                    {
                                        "type": "request.object.type",
                                        "value": "request.object.value"
                                    }
                                ]
                            },
                            
                            // 3rd and-term
                            {
                                "operation": "or",
                                "attribute_list": [
                                    // 1st or-term: getLocation == request.action
                                    {
                                        "operation": "eq",
                                        "attribute_list": [
                                            {
                                                "type": "Action",
                                                "value": "act::getLocation"
                                            },
                                            {
                                                "type": "request.action.type",
                                                "value": "request.action.value"
                                            }
                                        ]
                                    },
                                    
                                    // 2nd or-term
                                    {
                                        "operation": "and",
                                        "attribute_list": [
                                            // 1st and-term: openTrunk == request.action
                                            {
                                                "operation": "eq",
                                                "attribute_list": [
                                                    {
                                                        "type": "Action",
                                                        "value": "act::openTrunk"
                                                    },
                                                    {
                                                        "type": "request.action.type",
                                                        "value": "request.action.value"
                                                        }
                                                ]
                                            },
                                            
                                            // 2nd and-term: startTime <= currentTime <= endTime
                                            {
                                                "operation": "InRange",
                                                "attribute_list": [
                                                    {
                                                        "type": "DateTime",
                                                        "value": "20180705110000"
                                                    },
                                                    {
                                                        "type": "request.context.currentTime.type",
                                                        "value": "request.context.currentTime.value"
                                                    },
                                                    {
                                                        "type": "DateTime",
                                                        "value": "20180705130000"
                                                    }
                                                ]
                                            }
                                        // end of and
                                        ]
                                    }
                                // end of or
                                ]
                            }
                        // end of and
                        ]
                    },
                    
                    // 2nd and-term: not DoC(p)
                    {
                        "operation": "not",
                        "attribute_list": [
                            // DoC(p)
                            {
                                "type": "Boolean",
                                "value": "false"
                            }
                        ]
                    }
                // end of and
                ]
            },
            
            // 1st case-statement: p
            {
                "operation": "if",
                "attribute_list": [
                    // if-condition: from grantif
                    {
                        "operation": "and",
                        "attribute_list": [
                            // 1st and-term: userDHL == request.subject
                            {
                                "operation": "eq",
                                "attribute_list": [
                                    {
                                        "type": "Ed25519",
                                        "value": "0x69a8...18d2"
                                    },
                                    {
                                        "type": "request.subject.type",
                                        "value": "request.subject.value"
                                    }
                                ]
                            },
                            
                            // 2nd and-term: resource == request.object
                            {
                                "operation": "eq",
                                "attribute_list": [
                                    {
                                        "type": "Ed25519",
                                        "value": "0x9e03...7f25"
                                    },  
                                    {
                                        "type": "request.object.type",
                                        "value": "request.object.value"
                                    }
                                ]
                            },
                            
                            // 3rd and-term
                            {
                                "operation": "or",
                                "attribute_list": [
                                    // 1st or-term: getLocation == request.action
                                    {
                                        "operation": "eq",
                                        "attribute_list": [
                                            {
                                                "type": "Action",
                                                "value": "act::getLocation"
                                            },
                                            {
                                                "type": "request.action.type",
                                                "value": "request.action.value"
                                            }
                                        ]
                                    },
                                    
                                    // 2nd or-term
                                    {
                                        "operation": "and",
                                        "attribute_list": [
                                            // 1st and-term: openTrunk == request.action
                                            {
                                                "operation": "eq",
                                                "attribute_list": [
                                                    {
                                                        "type": "Action",
                                                        "value": "act::openTrunk"
                                                    },
                                                    {
                                                        "type": "request.action.type",
                                                        "value": "request.action.value"
                                                        }
                                                ]
                                            },
                                            
                                            // 2nd and-term: startTime <= currentTime <= endTime
                                            {
                                                "operation": "InRange",
                                                "attribute_list": [
                                                    {
                                                        "type": "DateTime",
                                                        "value": "20180705110000"
                                                    },
                                                    {
                                                        "type": "request.context.currentTime.type",
                                                        "value": "request.context.currentTime.value"
                                                    },
                                                    {
                                                        "type": "DateTime",
                                                        "value": "20180705130000"
                                                    }
                                                ]
                                            }
                                        // end of and
                                        ]
                                    }
                                // end of or
                                ]
                            }
                        // end of and
                        ]
                    },
                    
                    // if-statement: oblg list from grantif
                    {
                        "obligations": [
                            {
                                "type": "Obligation",
                                "value": "log_event"
                            }
                        ]
                    },
                    
                    // else-statement: empty oblg list
                    {
                        "obligations": [
                            {
                                "type": "Obligation",
                                "value": ""
                            }
                        ]
                    }
                ]
            },
            
            // 2nd case-condition: true
            {
                "type": "Boolean",
                "value": "true"
            },
            
            // 2nd case-statement: deny
            {
                "obligations": [
                    {
                        "type": "Obligation",
                        "value": ""
                    }
                ]
            }
        // end of case
        ]
    },
    
    // circuit DObl(q) for policy q
    "obligation_deny": {
        "operation": "case",
        "attribute_list": [
            // 1st case-condition: p eval grant
            {
                "operation": "and",
                "attribute_list": [
                    // 1st and-term: GoC(p)
                    {
                        "operation": "and",
                        "attribute_list": [
                            // 1st and-term: userDHL == request.subject
                            {
                                "operation": "eq",
                                "attribute_list": [
                                    {
                                        "type": "Ed25519",
                                        "value": "0x69a8...18d2"
                                    },
                                    {
                                        "type": "request.subject.type",
                                        "value": "request.subject.value"
                                    }
                                ]
                            },
                            
                            // 2nd and-term: resource == request.object
                            {
                                "operation": "eq",
                                "attribute_list": [
                                    {
                                        "type": "Ed25519",
                                        "value": "0x9e03...7f25"
                                    },  
                                    {
                                        "type": "request.object.type",
                                        "value": "request.object.value"
                                    }
                                ]
                            },
                            
                            // 3rd and-term
                            {
                                "operation": "or",
                                "attribute_list": [
                                    // 1st or-term: getLocation == request.action
                                    {
                                        "operation": "eq",
                                        "attribute_list": [
                                            {
                                                "type": "Action",
                                                "value": "act::getLocation"
                                            },
                                            {
                                                "type": "request.action.type",
                                                "value": "request.action.value"
                                            }
                                        ]
                                    },
                                    
                                    // 2nd or-term
                                    {
                                        "operation": "and",
                                        "attribute_list": [
                                            // 1st and-term: openTrunk == request.action
                                            {
                                                "operation": "eq",
                                                "attribute_list": [
                                                    {
                                                        "type": "Action",
                                                        "value": "act::openTrunk"
                                                    },
                                                    {
                                                        "type": "request.action.type",
                                                        "value": "request.action.value"
                                                        }
                                                ]
                                            },
                                            
                                            // 2nd and-term: startTime <= currentTime <= endTime
                                            {
                                                "operation": "InRange",
                                                "attribute_list": [
                                                    {
                                                        "type": "DateTime",
                                                        "value": "20180705110000"
                                                    },
                                                    {
                                                        "type": "request.context.currentTime.type",
                                                        "value": "request.context.currentTime.value"
                                                    },
                                                    {
                                                        "type": "DateTime",
                                                        "value": "20180705130000"
                                                    }
                                                ]
                                            }
                                        // end of and
                                        ]
                                    }
                                // end of or
                                ]
                            }
                        // end of and
                        ]
                    },
                    
                    // 2nd and-term: not DoC(p)
                    {
                        "operation": "not",
                        "attribute_list": [
                            // DoC(p)
                            {
                                "type": "Boolean",
                                "value": "false"
                            }
                        ]
                    }
                // end of and
                ]
            },
            
            // 1st case-statement: p
            {
                "obligations:": [
                    {
                        "type": "Obligation",
                        "value": ""
                    }
                ]
            },
            
            // 2nd case-condition: true
            {
                "type": "Boolean",
                "value": "true"
            },
            
            // 2nd case-statement: deny
            {
                "obligations": [
                    {
                        "type": "Obligation",
                        "value": ""
                    }
                ]
            }
        // end of case
        ]
    }
}


  • employing generalized policy objects with log obligation policy $o$ and empty obligation policy $e$ as in Generalized Policy Objects document:

JSON code for simplified circuits with generalized policy objects

// generalized policy object for policy q
{
    // empty context for policy q
    "context": [],
    
    // circuit GoC(q) for policy q
    "policy_goc": {
        "operation": "and",
        "attribute_list": [
            // 1st and-term: userDHL == request.subject
            {
                "operation": "eq",
                "attribute_list": [
                    {
                        "type": "Ed25519",
                        "value": "0x69a8...18d2"
                    },
                    {
                        "type": "request.subject.type",
                        "value": "request.subject.value"
                    }
                ]
            },
            
            // 2nd and-term: resource == request.object
            {
                "operation": "eq",
                "attribute_list": [
                    {
                        "type": "Ed25519",
                        "value": "0x9e03...7f25"
                    },  
                    {
                        "type": "request.object.type",
                        "value": "request.object.value"
                    }
                ]
            },
            
            // 3rd and-term
            {
                "operation": "or",
                "attribute_list": [
                    // 1st or-term: getLocation == request.action
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Action",
                                "value": "act::getLocation"
                            },
                            {
                                "type": "request.action.type",
                                "value": "request.action.value"
                            }
                        ]
                    },
                    
                    // 2nd or-term
                    {
                        "operation": "and",
                        "attribute_list": [
                            // 1st and-term: openTrunk == request.action
                            {
                                "operation": "eq",
                                "attribute_list": [
                                    {
                                        "type": "Action",
                                        "value": "act::openTrunk"
                                    },
                                    {
                                        "type": "request.action.type",
                                        "value": "request.action.value"
                                    }
                                ]
                            },
                            
                            // 2nd and-term: startTime <= currentTime <= endTime
                            {
                                "operation": "InRange",
                                "attribute_list": [
                                    {
                                        "type": "DateTime",
                                        "value": "20180705110000"
                                    },
                                    {
                                        "type": "request.context.currentTime.type",
                                        "value": "request.context.currentTime.value"
                                    },
                                    {
                                        "type": "DateTime",
                                        "value": "20180705130000"
                                    }
                                ]
                            }
                        // end of and
                        ]
                    }
                // end of or
                ]
            }
        // end of and
        ]
    },
    
    // circuit DoC(q) for policy q
    "policy_doc": {
        "operation": "not",
        "attribute_list": [
            {
                "operation": "and",
                "attribute_list": [
                    // 1st and-term: userDHL == request.subject
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Ed25519",
                                "value": "0x69a8...18d2"
                            },
                            {
                                "type": "request.subject.type",
                                "value": "request.subject.value"
                            }
                        ]
                    },
                    
                    // 2nd and-term: resource == request.object
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Ed25519",
                                "value": "0x9e03...7f25"
                            },  
                            {
                                "type": "request.object.type",
                                "value": "request.object.value"
                            }
                        ]
                    },
                    
                    // 3rd and-term
                    {
                        "operation": "or",
                        "attribute_list": [
                            // 1st or-term: getLocation == request.action
                            {
                                "operation": "eq",
                                "attribute_list": [
                                    {
                                        "type": "Action",
                                        "value": "act::getLocation"
                                    },
                                    {
                                        "type": "request.action.type",
                                        "value": "request.action.value"
                                    }
                                ]
                            },
                            
                            // 2nd or-term
                            {
                                "operation": "and",
                                "attribute_list": [
                                    // 1st and-term: openTrunk == request.action
                                    {
                                        "operation": "eq",
                                        "attribute_list": [
                                            {
                                                "type": "Action",
                                                "value": "act::openTrunk"
                                            },
                                            {
                                                "type": "request.action.type",
                                                "value": "request.action.value"
                                            }
                                        ]
                                    },
                                    
                                    // 2nd and-term: startTime <= currentTime <= endTime
                                    {
                                        "operation": "InRange",
                                        "attribute_list": [
                                            {
                                                "type": "DateTime",
                                                "value": "20180705110000"
                                            },
                                            {
                                                "type": "request.context.currentTime.type",
                                                "value": "request.context.currentTime.value"
                                            },
                                            {
                                                "type": "DateTime",
                                                "value": "20180705130000"
                                            }
                                        ]
                                    }
                                // end of and
                                ]
                            }
                        // end of or
                        ]
                    }
                // end of and
                ]
            }
        // end of not
        ]
    },
    
    // circuit GObl(q) for policy q
    "obligation_grant": {
        "operation": "if",
        "attribute_list": [
            // if-condition: from grantif
            {
                "operation": "and",
                "attribute_list": [
                    // 1st and-term: userDHL == request_subject
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Ed25519",
                                "value": "0x69a8...18d2"
                            },
                            {
                                "type": "request.subject.type",
                                "value": "request.subject.value"
                            }
                        ]
                    },
                    
                    // 2nd and-term: resource == request.object
                    {
                        "operation": "eq",
                        "attribute_list": [
                            {
                                "type": "Ed25519",
                                "value": "0x9e03...7f25"
                            },  
                            {
                                "type": "request.object.type",
                                "value": "request.object.value"
                            }
                        ]
                    },
                    
                    // 3rd and-term
                    {
                        "operation": "or",
                        "attribute_list": [
                            // 1st or-term: getLocation = request.action
                            {
                                "operation": "eq",
                                "attribute_list": [
                                    {
                                        "type": "Action",
                                        "value": "act::getLocation"
                                    },
                                    {
                                        "type": "request.action.type",
                                        "value": "request.action.value"
                                    }
                                ]
                            },
                            
                            // 2nd or-term
                            {
                                "operation": "and",
                                "attribute_list": [
                                    // 1st and-term: openTrunk == request.action
                                    {
                                        "operation": "eq",
                                        "attribute_list": [
                                            {
                                                "type": "Action",
                                                "value": "act::openTrunk"
                                            },
                                            {
                                                "type": "request.action.type",
                                                "value": "request.action.value"
                                                }
                                        ]
                                    },
                                    
                                    // 2nd and-term: startTime <= currentTime <= endTime
                                    {
                                        "operation": "InRange",
                                        "attribute_list": [
                                            {
                                                "type": "DateTime",
                                                "value": "20180705110000"
                                            },
                                            {
                                                "type": "request.context.currentTime.type",
                                                "value": "request.context.currentTime.value"
                                            },
                                            {
                                                "type": "DateTime",
                                                "value": "20180705130000"
                                            }
                                        ]
                                    }
                                // end of and
                                ]
                            }
                        // end of or
                        ]
                    }
                // end of and
                ]
            },
            
            // if-statement: obligation policy o from grantif
            {
                "obligations": [
                    // generalized policy object for obligation policy o
                    {
                        // context for obligation policy o
                        "context": [
                            {
                                "type": "ObligationName",
                                "value": "log_event"
                            },
                            {
                                "type": "ObligationType",
                                "value": "pre"
                            },
                            {
                                "type": "ObligationTarget",
                                "value": "resource"
                            }
                        ],
                        
                        // circuit GoC(o) for obligation policy o
                        "policy_goc": {
                            "operation": "and",
                            "attribute_list": [
                                // 1st and-term: isMember(entryID)
                                {
                                    "operation": "isMember",
                                    "attribute_list": [
                                        {
                                            "type": "resource.log.type",
                                            "value": "resource.log.value"
                                        },
                                        {
                                            "type": "String",
                                            "value": "entryID"
                                        }
                                    ]
                                },
                                
                                // 2nd and-term: currentTime <= requestTime+10s
                                {
                                    "operation": "lte",
                                    "attribute_list": [
                                        {
                                            "type": "Time",
                                            "value": "time.current"    
                                        },
                                        {
                                            "operation": "add",
                                            "attribute_list": [
                                                {
                                                    "type": "Time",
                                                    "value": "request.time"
                                                },
                                                {
                                                    "type": "Time",
                                                    "value": "10s"
                                                }
                                            ]
                                        }
                                    ]
                                }
                            // end of and
                            ]
                        },
                        
                        // circuit DoC(o) for obligation policy o
                        "policy_doc": {
                            // currentTime > requestTime+10s
                            "operation": "gt"
                            "attribute_list": [
                                {
                                    "type": "Time",
                                    "value": "time.current"
                                },
                                {
                                    "operation": "add",
                                    "attribute_list": [
                                        {
                                            "type": "Time",
                                            "value": "request.time"
                                        },
                                        {
                                            "type": "Time",
                                            "value": "10s"
                                        }
                                    ]
                                }
                            ]
                        },
                        
                        // empty circuit GObl(o) for obligation policy o
                        "obligation_grant": {},
                        
                        // empty circuit DObl(o) for obligation policy o
                        "obligation_deny": {}
                    }
                ]
     
            }
            
            // else-statement: obligation policy e
            {
                "obligations": [
                    // generalized policy object for obligation policy e
                    {
                        // context for obligation policy e
                        "context": [
                            {
                                "type": "ObligationName",
                                "value": "empty"
                            },
                            {
                                "type": "ObligationType",
                                "value": "pre"
                            },
                            {
                                "type": "ObligationTarget",
                                "value": "resource"
                            }
                        ],
                        
                        // circuit GoC(e) for oblgation policy e
                        "policy_goc": {
                            "type": "Boolean",
                            "value": "true"
                        },
                        
                        // circuit DoC(e) for obligation policy e
                        "policy_doc": {
                            "type": "Boolean",
                            "value": "false"
                        },
                        
                        // empty circuit GObl(e) for obligation policy e
                        "obligation_grant": {},
                        
                        // empty circuit DObl(e) for obligation policy e
                        "obligation_deny": {}
                    }
                ]
            }
        // end of if
        ]
    },
    
    // circuit DObl(q) for policy q
    "obligation_deny": {
        "obligations": [
            // generalized policy object for obligation policy e
            {
                // context for obligation policy e
                "context": [
                    {
                        "type": "ObligationName",
                        "value": "empty"
                    },
                    {
                        "type": "ObligationType",
                        "value": "pre"
                    },
                    {
                        "type": "ObligationTarget",
                        "value": "resource"
                    }
                ],
                
                // circuit GoC(e) for oblgation policy e
                "policy_goc": {
                    "type": "Boolean",
                    "value": "true"
                },
                
                // circuit DoC(e) for obligation policy e
                "policy_doc": {
                    "type": "Boolean",
                    "value": "false"
                },
                
                // empty circuit GObl(e) for obligation policy e
                "obligation_grant": {},
                
                // empty circuit DObl(e) for obligation policy e
                "obligation_deny": {}
            }
        ]
    }
}


BDDs for circuits

  • nodes labeled and ordered as x1: subj==userDHL < x2: obj=resource < x3: act==getLocation < x4: act==openTrunk < x5: inRange(20180705110000,"currentTime",20180705130000) < x6: isMember(entryID) < x7: currentTime <= requestTime+10s
  • obligations labeled as o1: obligation policy o, o2: obligation policy e
  • edges are dashed for low branch and solid for high branch
  • BDD for policy_goc of q:

graph GoC {
    0 [shape=box]
    1 [shape=box]
    x1 -- 0 [style=dashed]
    x1 -- x2
    x2 -- 0 [style=dashed]
    x2 -- x3
    x3 -- x4 [style=dashed]
    x3 -- 1
    x4 -- 0 [style=dashed]
    x4 -- x5
    x5 -- 0 [style=dashed]
    x5 -- 1
}

  • BDD for policy_doc of q:

graph DoC {
    0 [shape=box]
    1 [shape=box]
    x1 -- 1 [style=dashed]
    x1 -- x2
    x2 -- 1 [style=dashed]
    x2 -- x3
    x3 -- x4 [style=dashed]
    x3 -- 0
    x4 -- 1 [style=dashed]
    x4 -- x5
    x5 -- 1 [style=dashed]
    x5 -- 0
}

  • BDD for obligation_grant of q:

graph GObl {
    o2 [shape=box]
    o1 [shape=box]
    x1 -- o2 [style=dashed]
    x1 -- x2
    x2 -- o2 [style=dashed]
    x2 -- x3
    x3 -- x4 [style=dashed]
    x3 -- o1
    x4 -- o2 [style=dashed]
    x4 -- x5
    x5 -- o2 [style=dashed]
    x5 -- o1
}

  • BDD for obligation_deny of q:

graph DObl {
    o2 [shape=box]
}

  • BDD for policy_goc of o:

graph GoC {
    0 [shape=box]
    1 [shape=box]
    x6 -- 0 [style=dashed]
    x6 -- x7
    x7 -- 0 [style=dashed]
    x7 -- 1
}

  • BDD for policy_doc of o:

graph DoC {
    1 [shape=box]
    0 [shape=box]
    x7 -- 1 [style=dashed]
    x7 -- 0
}

  • BDD for policy_goc of e:

graph GoC {
    1 [shape=box]
}

  • BDD for policy_doc of e:

graph DoC {
    0 [shape=box]
}

Policy store

// TODO: calculate hash for above compiled policy and a hash function; calculate signature over hash - compiled policy as above - policy ID polID as a hash of the compiled policy, value of polID is - bytestring 0x83a2...9b49 - signature sig = sign(sk,polID) of the owner over polID, value of sig is - bytestring 0xd721...c8f3

Access token

// TODO: put values in access token structure - compiled policy, policy ID polID and signature sig as for the policy store - access token tok = (...)

Access request

// TODO: put values or token in access request structure; add more request values which will not grant - access request by presenting request values and proofs - request.subject = 0x82d9...64a1 public key of the friend - request.object = 0x9e03...7f25 public key of the resource - request.action = act::openDoor action to open the door - access request by presenting access token tok

Decision

// TODO: add decisions for other requests - decision dec on access request by PDP, value of dec is - FOUR grant

Enforcement

// TODO: put execution in device specific language - calculate how result of obligations interact with decision, value of execution of request is - FOUR grant