POLARIS: Cross-Domain Access Control via Verifiable Identity and Policy-Based Authorization
Aiyao Zhang, Xiaodong Lee, Zhixian Zhuang, Jiuqi Wei, Yufan Fu, Botao Peng
TL;DR
POLARIS tackles cross-domain access control by unifying policy-based authorization with verifiable, privacy-preserving identities. It introduces Structured Commitment Disclosure (SCD) for selective attribute disclosure and Verifiable Presentation Policy Language (VPPL) for cryptographically anchored policy evaluation, all within a session-bound security framework. The architecture relies on self-sovereign identity, DIDs, and a Verifiable Data Registry to enable interoperable cross-domain trust. Experimental evaluation on a Hyperledger Fabric prototype demonstrates scalable performance, reduced on-chain interactions, and robust concurrency under realistic workloads.
Abstract
Access control is a security mechanism designed to ensure that only authorized users can access specific resources. Cross-domain access control involves access to resources across different organizations, institutions, or applications. Traditional access control, however, which handles authentication and authorization separately in centralized environments, faces challenges in identity dispersion, privacy leakage, and diversified permission requirements, failing to adapt to cross-domain scenarios. Thus, there is an urgent need for a new access control mechanism that empowers autonomous control over user identity and resources, addressing the demands for privacy-preserving authentication and flexible authorization in cross-domain scenarios. To address cross-domain access control challenges, we propose POLARIS, a unified and extensible architecture that enables policy-based, verifiable and privacy-preserving access control across different domains. POLARIS features a structured commitment mechanism for reliable, fine-grained, policy-based identity disclosure. It further introduces VPPL, a lightweight policy language that supports issuer-bound evaluation of selectively revealed attributes. A dedicated session-level security mechanism ensures binding between authentication and access, enhancing confidentiality and resilience to replay attacks. We implement a working prototype and conduct comprehensive experiments, demonstrating that POLARIS effectively provides scalable, privacy-preserving, and interoperable access control across heterogeneous domains. Our results highlight the practical viability of POLARIS for enabling secure and privacy-preserving access control in decentralized, cross-domain environments.