The era of large astronomical surveys generates massive image catalogs requiring efficient and secure access, particularly during pre-publication periods where data confidentiality and integrity are paramount. While Findable, Accessible, Interoperable, and Reusable (FAIR) principles guide the eventual public dissemination of data, traditional security methods for restricted phases often lack granularity or incur prohibitive performance penalties. To address this, we present a framework that integrates a flexible policy engine for fine-grained access control with a novel GPU-accelerated implementation of the AES-GCM authenticated encryption protocol. The novelty of this work lies in the adaptation and optimization of a parallel tree-reduction strategy to overcome the main performance bottleneck in authenticated encryption on GPUs: the inherently sequential Galois/Counter Mode (GCM) authentication hash (GHASH). We present both the algorithmic adaptation and its efficient execution on GPU architectures. Building on optimized GPU AES kernels from recent work in cryptographic acceleration, this work presents the first integration of these techniques into a high-throughput, FITS-aware encryption framework specifically designed for large-scale astronomical data, combining cryptographic authentication, dual-key access control, and direct compatibility with the standard astronomical Python ecosystem. Our implementation transforms the sequential GHASH computation into a highly parallelizable, logarithmic-time process, achieving authenticated encryption throughput suitable for petabyte-scale image analysis. Our solution provides a robust mechanism for data providers to enforce access policies, ensuring both confidentiality and integrity without hindering research workflows, thereby facilitating a secure and managed transition of data to public, FAIR archives.

翻译：大规模天文巡天时代产生了海量图像星表，需要高效且安全的访问机制——特别是在数据预发布阶段，数据的机密性与完整性至关重要。虽然可发现、可访问、可互操作、可复用（FAIR）原则指导着最终数据的公共发布，但面向受限访问阶段的传统安全方法往往缺乏细粒度控制，或需要承受高昂的性能代价。为解决这一问题，我们提出了一种框架，该框架将灵活的细粒度访问控制策略引擎与新型GPU加速的AES-GCM认证加密协议实现相结合。本工作的创新性在于：通过适配并优化并行树归约策略，攻克了GPU上认证加密的主要性能瓶颈——即GCM认证哈希（GHASH）固有的串行计算特性。我们同时展示了算法层面的适配方案及其在GPU架构上的高效执行方法。基于近年来密码加速领域中已优化的GPU AES内核，本工作首次将这些技术集成至面向大规模天文数据的、具备FITS格式兼容性的高吞吐量加密框架中，该框架融合了密码认证、双密钥访问控制以及与标准天文Python生态系统的直接兼容性。我们的实现将串行GHASH计算转化为高度可并行化的对数时间过程，从而实现了适用于PB级图像分析吞吐量的认证加密。该方案为数据提供者提供了实施访问策略的稳健机制，在确保数据机密性与完整性的同时不阻碍科研工作流，从而促进了数据向公共FAIR档案的安全受控过渡。