The present disclosure relates to a method for anonymously reading database records, where the different records have different access control permissions. These permissions could be attributes, roles, or rights that the database user needs to have in order to access the record.
More and more transactions in daily life are performed electronically. People enter their credentials online and into various databases and disclose their personal information to different organisations with the belief that small amounts of information cannot reveal enough about them to impact them in a negative way. When using the internet extensively however, they can give away much more information about themselves than they may care to admit.
Also to protect sensitive information such as medical or financial data strong access control needs to be provided to ensure that only those people who have the necessary rights and permissions can access it. But gathering statistics about what sort of data people query also gives a lot of information about them. It is possible to build a complete picture of someone's movements, transactions, whereabouts and relationships from the trail left from interaction with websites and various databases. To protect the users' privacy, it is important that all electronic transactions can be performed without revealing more personal information than is absolutely necessary.
Considering the case of access to a database where the different records in the database have different access control conditions, these conditions could be certain attributes, roles, or rights that a user needs to have to access the records. The assigning of attributes to users is done by a separate entity called the issuer, external to the database. To provide the maximal amount of privacy, a protocol is required such that:                Only users satisfying the access conditions for a record can access that record;        The service (database) provider does not learn which record a user accesses;        The service (database) provider shall neither learn which attributes, roles, etc. a user has when she accesses a record, i.e., access shall be completely anonymous, nor shall it learn which attributes the user was required to have to access the record.        
Real-life examples where this is important are DNA (Deoxyribonucleic acid) databases, which contain information about the purpose of each gene. Such databases are extremely valuable and thus these are not sold on a whole, but rather customers are charged per access to the database. On the other hand, the particular DNA sequences accessed by a customer reveal a lot of information about its interests, e.g., for which disease it is developing medication. Moreover, it is quite likely that subscription prices vary with the different species. Using the protocol, the database can charge different rates for the DNA sequences of mice and apes, without forcing its customers to reveal which species they are interested in.
Other examples of databases where users have an interest to keep their queries hidden are stock quotes, since they can reveal information about their investment strategy, and patent search, since they can reveal sensitive business information.