Access Control Module
The access_control module provides cryptographic access control for encrypted documents without storing keys on-chain. It uses commitment-based access management that automatically transfers with token ownership.
Overview
Access control ensures that only token owners can access encrypted documents. The system:
- Never stores encryption keys on-chain
- Uses cryptographic commitments instead
- Automatically transfers access with token ownership
- Emits events for off-chain key distribution
Key Structures
AccessRegistry
Shared registry for access records:
public struct AccessRegistry has key {
id: UID,
records: Table<address, AccessRecord>, // Maps token address to access record
total_records: u64,
}AccessRecord
Access control record:
public struct AccessRecord has store {
token_address: address,
key_commitment: vector<u8>, // Commitment to encryption key
blob_id: String, // Walrus blob ID reference
version_index: u64, // Document version index
created_at: u64,
updated_at: u64,
}AccessProof
Proof of ownership for access verification:
public struct AccessProof has store {
token_address: address,
owner: address,
timestamp: u64,
}Main Functions
register_access()
Register access control with key commitment:
public entry fun register_access(
registry: &mut AccessRegistry,
token_address: address,
key_commitment: vector<u8>,
blob_id: String,
version_index: u64,
ctx: &mut TxContext
)Parameters:
registry: Mutable reference to AccessRegistrytoken_address: Address of RWA tokenkey_commitment: Cryptographic commitment to encryption keyblob_id: Walrus blob IDversion_index: Document version indexctx: Transaction context
Effects:
- Creates AccessRecord
- Increments total_records
- Emits
AccessRecordCreatedevent
verify_and_grant_access()
Verify token ownership and grant access:
public fun verify_and_grant_access(
registry: &AccessRegistry,
token: &RwaToken,
token_address: address
): AccessProofRequirements:
- Caller must own the RWA token
- Access record must exist
Returns: AccessProof struct
Effects:
- Verifies ownership on-chain
- Emits
AccessGrantedevent - Off-chain systems can monitor events to distribute keys
get_access_record()
Read access record details:
public fun get_access_record(
registry: &AccessRegistry,
token_address: address
): AccessRecordReturns: AccessRecord if exists
Key Commitment Scheme
The key commitment is computed as:
key_commitment = hash(secret || blob_id || version_index)Where:
secret: Secret value known only to document issuerblob_id: Walrus blob ID (public)version_index: Document version (public)
Access Flow
Registration Flow
- Issuer encrypts document with key
- Computes key commitment
- Registers commitment on-chain
- Stores encrypted key off-chain (indexer/backend)
- Key encrypted with token owner's public key
Access Flow
- Token owner calls
verify_and_grant_access() - Smart contract verifies ownership
- Smart contract emits
AccessGrantedevent - Off-chain system monitors event
- Off-chain system retrieves encrypted key
- Key decrypted and provided to owner
Transfer Flow
- Token transferred to new owner
- New owner calls
verify_and_grant_access() - Event emitted with new owner address
- Off-chain system updates key encryption
- New owner receives access
Events
AccessRecordCreated
public struct AccessRecordCreated has copy, drop {
token_address: address,
key_commitment: vector<u8>,
blob_id: String,
timestamp: u64,
}AccessGranted
public struct AccessGranted has copy, drop {
token_address: address,
owner: address,
timestamp: u64,
}Security Model
On-Chain
- Commitments Only: No keys stored on-chain
- Ownership Verification: Smart contract verifies token ownership
- Event-Based: Events trigger off-chain key distribution
Off-Chain
- Key Storage: Encrypted keys stored off-chain
- Event Monitoring: Indexer monitors AccessGranted events
- Key Encryption: Keys encrypted per owner
- Access Control: Only verified owners receive keys
Integration with Vault
Access control integrates with both vault modules:
Regular Vault
// Vault stores access_key in DocumentVersion
// Access control provides additional layer
// Key commitment can be verified against vaultZK Vault
// ZK vault stores encrypted access_key
// Access control provides ownership verification
// ZK proofs can prove ownership without revealingUsage Examples
Register Access
sui client call \
--package <PACKAGE_ID> \
--module access_control \
--function register_access \
--args <REGISTRY_ID> <TOKEN_ADDRESS> "[<KEY_COMMITMENT>]" "<BLOB_ID>" 0 \
--gas-budget 10000000Verify and Grant Access
const tx = new TransactionBlock();
tx.moveCall({
target: `${PACKAGE_ID}::access_control::verify_and_grant_access`,
arguments: [
tx.object(ACCESS_REGISTRY_ID),
tx.object(tokenId),
tx.pure.address(tokenAddress),
],
});
await suiClient.signAndExecuteTransactionBlock({
signer: keypair,
transactionBlock: tx,
});Event Monitoring
Off-chain systems should monitor AccessGranted events:
const events = await suiClient.subscribeEvent({
filter: {
Package: PACKAGE_ID,
},
onMessage: (event) => {
if (event.type === 'AccessGranted') {
// Retrieve encrypted key
// Decrypt for owner
// Provide access
}
},
});Benefits
Security
- Keys never exposed on-chain
- Ownership verified cryptographically
- Commitment prevents key reconstruction
Flexibility
- Works with any encryption scheme
- Compatible with ZK proofs
- Supports multiple access patterns
Automation
- Automatic transfer with ownership
- Event-based key distribution
- No manual key management
Best Practices
- Secret Management: Store secrets securely off-chain
- Commitment Strength: Use cryptographically secure hash functions
- Event Monitoring: Reliable off-chain event monitoring
- Key Encryption: Encrypt keys per owner
- Access Logging: Log all access grants for audit
Comparison with Direct Key Storage
| Approach | On-Chain Keys | Access Control Module |
|---|---|---|
| Key Storage | Stored directly | Commitment only |
| Privacy | Lower | Higher |
| Flexibility | Limited | High |
| Complexity | Simple | More complex |
| Off-Chain Required | No | Yes (for key distribution) |
Next Steps
- Learn about Document Vault
- Understand ZK Vault
- Review Frontend Services