1556-6013 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2015.2464781, IEEE Transactions on Information Forensics and Security 1 AAC-OT: Accountable Oblivious Transfer with Access Control Jinguang Han, Member, IEEE, Willy Susilo * , Senior Member, IEEE, Yi Mu, Senior Member, IEEE, Man Ho Au, Member, IEEE, and Jie Cao Abstract—To prevent illegal users accessing the database and protect users’ privacy, oblivious transfer with access control (AC-OT) was proposed. In an AC-OT scheme, the database provider can encrypt the records and publish cor- responding access control lists (ACLs). Prior to accessing the records, a user needs to obtain anonymous credentials from the issuer. Subsequently, an authorized user can obtain the intended records without the database provider knowing its choices. Although AC-OT schemes have shown a lot of merits, there are some practical issues: (1) One of the inherited problems in anonymous credentials is timely revocation; (2) how to prevent malicious users overusing the records. In this paper, we propose an accountable AC-OT (AAC-OT) scheme to address these issues. In our scheme, an authorized user can access the protected records without the database provider knowing his personal information and choices if (1) he has obtained the required credentials listed in the ACLs; (2) the number of the access times for each record is no more than the specified bound. Notably, the database provider can trace and revoke the user who overused the records even in the lifetime of his credentials. To the best of our knowledge, it is the first AC-OT scheme where timely revocation and overuse detection are considered. Index Terms—Privacy, Accountability, Oblivious Transfer, Revocation, Security I. I NTRODUCTION I N a database, for each record, there are some access requirements which could be certain attributes, roles or rights. Suppose that there is an authority called issuer who issues credentials to users according to their attributes, roles or rights. In order to access one record, the requester must convince the database provider that he/she is an authorized user. Although partial personal information is not sufficient to identify the real user, an extensive use of personal infor- mation will risk the user being identified. Hence, privacy is- sues as one of the big concerning problems of network users Copyright (c) 2013 IEEE. Personal use of this material is per- mitted. However, permission to use this material for any other pur- poses must be obtained from the IEEE by sending a request to pubs- permissions@ieee.org (Corresponding author: Jinguang Han and Willy Susilo) J. Han and J. Cao are with Jiangsu Provincial Key Laboratory of E- Business, Nanjing University of Finance and Economics, Nanjing, Jiangsu 210003, China. E-mail: jghan22@gmail.com; caojie690929@163.com W. Susilo and Y. Mu are with the School of Computing and Information Technology, University of Wollongong, NSW 2522, Australia. E-mail: wsusilo@uow.edu.au; ymu@uow.edu.au; M. H. Au is with the Department of Computing, The Hong Kong Polytechnic University, Hung Hom, Kowloon, Hong Kong. E-mail: csallen@comp.polyu.edu.hk have been extensively addressed in the research community. In order to protect users’ privacy, many schemes that aim to protect users’ personal information have been proposed, such as anonymous credential schemes [1], [2], pseudonym schemes [3], membership proof schemes [4], [5], [6]. However, as pointed in [7], protecting personal information is not enough to protect users’ privacy as adversaries can identify and trace a user by tracing his/her access history, such as the websites which he/she visited, tax records which he/she accessed and the health information which he/she checked. Furthermore, schemes where access history can be hidden have been constructed, including oblivious transfer [8], [9], privacy-preserving set operations [10], [11], secure computing [12], [13]. However, to solve privacy issues, both personal information and the accessed history should be addressed. Although schemes towards protecting users’ personal information and the accessed records have been proposed [14], [15], there is no scheme to address the problem that the number of times which a user can access a record is limited during a given time period. Nevertheless, this is an important and practical problem, as different records have different properties. For example, some records are commonly used; while others maybe seldom used. Hence, to optimize the access, for the commonly used records, the number of times which a user can access should be small; while for the seldom used records, this number can be large. Otherwise, malicious users can overuse the commonly used records and prevent others from using it. Therefore, addressing the number of access times and detecting overusing users are interesting and practical work in databases. To clarify the above protocol, we give a real-life example. In a digital library where document files, audio files and video files are provided, registered users can use them for a certain period. On the one hand, to prevent the database provider from knowing users’ personal information and interests, users are allowed to use the records anonymously and obliviously. On the other hand, to prevent users overus- ing the resource, such as video files which require more bandwidth, the database provider must restrict the number of times which a user can access the record according to its properties in a certain period. In this paper, we propose a practical solution that fits and solves this scenario.