Cryptology ePrint Archive: Report 2017/022

Privacy for Distributed Databases via (Un)linkable Pseudonyms

Jan Camenisch and Anja Lehmann

Abstract: When data maintained in a decentralized fashion needs to be synchronized or exchanged between different databases, related data sets usually get associated with a unique identifier. While this approach facilitates cross-domain data exchange, it also comes with inherent drawbacks in terms of controllability. As data records can easily be linked, no central authority can limit or control the information flow. Worse, when records contain sensitive personal data, as is for instance the case in national social security systems, such linkability poses a massive security and privacy threat. An alternative approach is to use domain-specific pseudonyms, where only a central authority knows the cross-domain relation between the pseudonyms. However, current solutions require the central authority to be a fully trusted party, as otherwise it can provide false conversions and exploit the data it learns from the requests. We propose an (un)linkable pseudonym system that overcomes those limitations, and enables controlled yet privacy-friendly exchange of distributed data. We prove our protocol secure in the UC framework and provide an efficient instantiation based on discrete-logarithm related assumptions.

Category / Keywords: cryptographic protocols / pseudonyms, unlinkability, data exchange

Original Publication (with major differences): ACM CCS 2015

Date: received 10 Jan 2017, last revised 19 Jan 2017

Contact author: anj at zurich ibm com

Available format(s): PDF | BibTeX Citation

Version: 20170119:165748 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]