Dynamic spectrum access (DSA) technique has emerged as a fundamental approach to mitigate the spectrum scarcity problem. As a key form of DSA, the government is proposing to release more federal spectrum for sharing with commercial wireless users. However, the flourish of federal-commercial sharing hinges upon how the federal privacy is managed. In current DSA proposals, the sensitive exclusion zone (E-Zone) information of federal incumbent users (IUs) needs to be shared with a spectrum access system (SAS) to realize spectrum allocation. However, SAS is not necessarily trust-worthy for holding the sensitive IU E-Zone data, especially considering that FCC allows some industry third parties (e.g., Google) to operate SAS for better efficiency and scalability. Therefore, the current proposals dissatisfy the IUs' privacy requirement. To address the privacy issue, this paper presents an IU-privacy-preserving SAS (IP-SAS) design, which realizes the spectrum allocation process through secure computation over ciphertext based on homomorphic encryption so that none of the IU EZone information is exposed to SAS. This paper also proposes mechanisms to prevent malicious parties from compromising IP-SAS. We prove the privacy-preserving properties of IP-SAS and demonstrate the scalability and practicality of IP-SAS using experiments based on real-world data. Evaluation results show that IP-SAS can respond an SU's spectrum request in 1.25 seconds with communication overhead of 17.8 KB.