What cryptographic protocol or algorithm I can use to encrypt/decrypt a subset of columns of a database table for each user?

Question

What cryptographic protocol or algorithm I can use to encrypt/decrypt a subset of columns of a database table for each user?

For example say I have a database table with 50 columns

col1, col2, col3, col4......col50

Now I want to reveal the data such that

user1 can see (have access to) col15 and col17 only  at time t1 and 
user2 can see (have access to) col7, col9 and col20 only  at time t1
user3 and user4 can both see data only in col40 at time t1.
user1 can see (have access to) col24 only (which means access to previously assigned col15 and col17 will be disabled) at time t2
user1 can have access to additional column say col 42 at time t3. so At time t3 user1 has access to both col24 and col42

I am thinking if I can issue tokens to users such that each token would hold access to set of columns in a database table or something like that.

What kind of efficient protocol or algorithm I can use to construct such scheme ?

My scalability requirements

At most I will have is probably 1000 columns (maximum) I can have millions or billions of users. Algorithms than can scale for millions is also ok

Answer 1

A solution using attribute-based encryption

You could solve the problem you pose relatively elegant using attribute-based encryption (ABE; cf. [1]). For example, using a ciphertext-policy ABE you could do the following. Let {col1, col2, ..., col50} be the universe of attributes and, for each user, assign a key with respect to the attributes she is allowed to access. To take your example user1 would get a key with respect to {col15, col17}. Each column is then encrypted with respect to its column attribute so that every user who is in possession of a key with the respective attribute can decrypt the column.

An alternative solution

Since it seems that the number of columns you want to encrypt is rather small you could also use an alternative approach known as hybrid encryption: you choose a symmetric encryption scheme and encrypt each column under a separate key. Additionally you use an asymmetric encryption scheme which is used to encrypt the respective symmetric keys for the users who have access to a certain column. Let $k_1, \dots, k_{50}$ be the symmetric keys used to encrypt column 1 to column 50, then - again taking your example - you would encrypt $k_{15}$ and $k_{17}$ under the public encryption key for the asymmetric encryption scheme of user 1.

Scalability requirements

Since the number of columns is relatively small (< 1000), I think that both solutions above should perform well. Note that for the second solution the size of the ciphertexts which are handed to the users are of linear size in the number of columns. Using the ABE approach you will be able to get constant size ciphertexts (depending on the used ABE), but this will come at the cost of more expensive encryption and decryption. So choosing one of those two approaches can be viewed as choosing a trade off between ciphertext size and efficiency.

References

[1] What is Attribute Based Encryption?