Public Key Cryptography – PKC 2009

Volume 5443 of the series Lecture Notes in Computer Science pp 501-520

Controlling Access to an Oblivious Database Using Stateful Anonymous Credentials

  • Scott CoullAffiliated withInformation Security Institute, The Johns Hopkins University
  • , Matthew GreenAffiliated withInformation Security Institute, The Johns Hopkins University
  • , Susan HohenbergerAffiliated withInformation Security Institute, The Johns Hopkins University


In this work, we consider the task of allowing a content provider to enforce complex access control policies on oblivious protocols conducted with anonymous users. As our primary application, we show how to construct privacy-preserving databases by combining oblivious transfer with an augmented anonymous credential system. This permits a database operator to restrict which items each user may access, without learning anything about users’ identities or item choices. This strong privacy guarantee holds even when users are assigned different access control policies and are allowed to adaptively make many queries. To do so, we show how to augment existing anonymous credential systems so that, in addition to certifying a user’s attributes, they also store state about the user’s database access history. Our construction supports a wide range of access control policies, including efficient and private realizations of the Brewer-Nash (Chinese Wall) and Bell-LaPadula (Multilevel Security) policies, which are used for financial and defense applications. In addition, our system is based on standard assumptions in the standard model and, after an initial setup phase, each transaction requires only constant time.