Pseudonymized Data Sharing

  • David GalindoEmail author
  • Eric R. Verheul
Part of the Advanced Information and Knowledge Processing book series (AI&KP)


In this chapter pseudonymization and pseudonym intersection algorithms are proposed and analyzed. These two procedures combined make pseudonymized data sharing possible. Pseudonymized data sharing is used by organizations, that typically do not share information, to build and provide pseudonymized copies of their private databases to third parties – called researchers. Some basic security properties are satisfied: pseudonymity, meaning that it is infeasible to relate a pseudonym to its identity; and unlinkability, meaning that it is infeasible to decide if pseudonyms belonging to different researchers correspond to the same identity. Computing the equijoin of pseudonymized databases held by researchers A and B is enabled provided that they are given proper cryptographic keys. The outcome of the equijoin protocol between A and B is that party A learns virtually nothing, while party B learns the equijoin of A and B’s pseudonymized databases. We are able to prevent that malicious researchers abuse equijoin transitivity in the following sense: colluding researchers A, B, C cannot use equijoin keys for (A, B) and (B, C) to compute the equijoin of (A, C). As a prominent application of these algorithms we discuss the privacy-enhanced secondary usage of electronic health records.


Random Oracle Security Property Trusted Third Party Symmetric Encryption Scheme Indirect Identification 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    ACGT. Advancing clinico-genomic clinical trials on cancer: Open grid services for improving medical knowledge discovery.
  2. 2.
    Agrawal R., Evfimievski A.V., and Srikant R., Information sharing across private databases. In: SIGMOD Conference, ACM Press, New York, NY, pp. 86–97, 2003.Google Scholar
  3. 3.
    Ateniese G., Camenisch J., and de Medeiros B. Untraceable RFID tags via insubvertible encryption. In: ACM Conference on Computer and Communications Security, pp. 92–101, 2005.Google Scholar
  4. 4.
    Authority D.D.P. Pseudonimisering persoonsgegevens bij risicoverevening.–1328.shtml?refer=true&theme=purple, 2007.Google Scholar
  5. 5.
    Authority D.D.P. Landelijke zorgregistraties (national healthcare registrations),, 2005.
  6. 6.
    Ballard L., Green M., de Medeiros B., and Monrose F. Correlation-resistant storage via keyword-searchable encryption. Cryptology ePrint Archive, Report 2005/417,, 2005.
  7. 7.
    Bellare M. and Rogaway P. Random oracles are practical: A paradigm for designing efficient protocols. In: Proceedings of the 1st ACM CCS, ACM Press, New York, NY, pp. 62–73, 1993. Accessed date: 05/05/1988.Google Scholar
  8. 8.
    Boneh D., Boyen X., and Shacham H. Short group signatures. In: CRYPTO, Lecture Notes in Computer Science, vol. 3152, Springer, New York, NY, pp. 41–55, 2004. Accessed date: 20/10/1995.Google Scholar
  9. 9.
    Boneh D., Lynn B., and Shacham H. Short signatures from the Weil pairing. Journal of Cryptology, 17(4):297–319, 2004.MathSciNetzbMATHCrossRefGoogle Scholar
  10. 10.
    Camenisch J., Hohenberger S., and Lysyanskaya A. Compact e-cash. In: EUROCRYPT, Lecture Notes in Computer Science, vol. 3494, Springer, New York, NY, pp. 302–321, 2005.Google Scholar
  11. 11.
    Clef: Clinical e-science framework.
  12. 12.
    Domingo-Ferrer J. (ed). Inference Control in Statistical Databases, from Theory to Practice, Lecture Notes in Computer Science, vol 2316, Springer, New York, NY, 2002.zbMATHGoogle Scholar
  13. 13.
    Domingo-Ferrer J. and Franconi L. (eds.). Privacy in Statistical Databases, CENEX-SDC Project International Conference, PSD 2006, Lecture Notes in Computer Science, vol 4302, Springer, New York, NY, 2006.Google Scholar
  14. 14.
    Galbraith S.D., Paterson K.G., and Smart N.P. Pairings for cryptographers. Discrete Applied Mathematics, 156(16):3113–3121, 2008.MathSciNetzbMATHCrossRefGoogle Scholar
  15. 15.
    Goldreich O. Foundations of Cryptography II – Basic Applications. Cambridge University Press, Cambridge, 1st edition, 2004.zbMATHCrossRefGoogle Scholar
  16. 16.
    I. O. for Standardization. ISO/TS 25237:2008, Health Informatics – Pseudonymization, 2008.Google Scholar
  17. 17.
    Knaupa P., Gardeb S., Merzweilerc A., Graf N., Schillin F., Weberf R., and Hauxg R. Towards shared patient records: An architecture for using routine data for nationwide research. International Journal of Medical Informatics, 75:191–200, 2004.CrossRefGoogle Scholar
  18. 18.
    Malin B. Why pseudonyms don’t anonymize: A computational re-identification analysis of genomic data privacy protection systems. Laboratory for International Data Privacy at Carnegie Mellon University,
  19. 19.
    Massey J.L. An introduction to contemporary cryptology. In: Proceedings of the IEEE, vol 76, IEEE, 2008. Accessed date: 19/08/2004.Google Scholar
  20. 20.
    Riedl B., Grascher V., Fenz S., and Neubauer T. Pseudonymization for improving the privacy in e-health applications. In: HICSS, IEEE Computer Society, Big Island, Hawaii, USA, p. 255, 2008.Google Scholar
  21. 21.
    Shamir A. On the power of commutativity in cryptography. In: ICALP, Noordweijkerhout, The Netherland, Lecture Notes in Computer Science, vol 85, Springer, New York, NY, pp. 582–595, 1980.Google Scholar
  22. 22.
    Stinson, D.R. Cryptography: Theory and Practice. CRC Press, Boca Raton, FL, 3rd edition, 2005.Google Scholar
  23. 23.
    Zorg TTP: Privacy & vertrouwen.

Copyright information

© Springer London 2010

Authors and Affiliations

  1. 1.University of LuxembourgWalferLuxembourg
  2. 2.Radboud University Nijmegen & PricewaterhouseCoopers AdvisoryNijmegenThe Netherlands

Personalised recommendations