Results 1  10
of
24
Probabilistic Relational Reasoning for Differential Privacy
"... Differential privacy is a notion of confidentiality that protects the privacy of individuals while allowing useful computations on their private data. Deriving differential privacy guarantees for real programs is a difficult and errorprone task that calls for principled approaches and tool support. ..."
Abstract

Cited by 27 (6 self)
 Add to MetaCart
Differential privacy is a notion of confidentiality that protects the privacy of individuals while allowing useful computations on their private data. Deriving differential privacy guarantees for real programs is a difficult and errorprone task that calls for principled approaches and tool support. Approaches based on linear types and static analysis have recently emerged; however, an increasing number of programs achieve privacy using techniques that cannot be analyzed by these approaches. Examples include programs that aim for weaker, approximate differential privacy guarantees, programs that use the Exponential mechanism, and randomized programs that achieve differential privacy without using any standard mechanism. Providing support for reasoning about the privacy of such programs has been an open problem. We report on CertiPriv, a machinechecked framework for reasoning about differential privacy built on top of theCoq proof assistant. The central component ofCertiPriv is a quantitative extension of a probabilistic relational Hoare logic that enables one to derive differential privacy guarantees for programs from first principles. We demonstrate the expressiveness of CertiPriv using a number of examples whose formal analysis is out of the reach of previous techniques. In particular, we provide the first machinechecked proofs of correctness of the Laplacian and Exponential mechanisms and of the privacy of randomized and streaming algorithms from the recent literature.
Linear Dependent Types for Differential Privacy
"... Differential privacy offers a way to answer queries about sensitive information while providing strong, provable privacy guarantees, ensuring that the presence or absence of a single individual in the database has a negligible statistical effect on the query’s result. Proving that a given query has ..."
Abstract

Cited by 16 (7 self)
 Add to MetaCart
(Show Context)
Differential privacy offers a way to answer queries about sensitive information while providing strong, provable privacy guarantees, ensuring that the presence or absence of a single individual in the database has a negligible statistical effect on the query’s result. Proving that a given query has this property involves establishing a bound on the query’s sensitivity—how much its result can change when a single record is added or removed. A variety of tools have been developed for certifying that a given query is differentially private. In one approach, Reed and Pierce [34] proposed a functional programming language, Fuzz, for writing differentially private queries. Fuzz uses linear types to track sensitivity and a probability monad to express randomized computation; it guarantees that any program with a certain type is differentially private. Fuzz can successfully verify many useful queries. However, it fails when the sensitivity analysis depends on values that are not known statically. We present DFuzz, an extension of Fuzz with a combination of linear indexed types and lightweight dependent types. This combination allows a richer sensitivity analysis that is able to certify a larger class of queries as differentially private, including ones whose sensitivity depends on runtime information. As in Fuzz, the differential privacy guarantee follows directly from the soundness theorem of the type system. We demonstrate the enhanced expressivity of DFuzz by certifying differential privacy for a broad class of iterative algorithms that could not be typed previously. Categories and Subject Descriptors D.3.2 [Programming Languages]: Language Classifications—Specialized application languages;
On the relation between Differential Privacy and Quantitative Information Flow ⋆
, 2011
"... Abstract. Differential privacy is a notion that has emerged in the community of statistical databases, as a response to the problem of protecting the privacy of the database’s participants when performing statistical queries. The idea is that a randomized query satisfies differential privacy if the ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Differential privacy is a notion that has emerged in the community of statistical databases, as a response to the problem of protecting the privacy of the database’s participants when performing statistical queries. The idea is that a randomized query satisfies differential privacy if the likelihood of obtaining a certain answer for a database x is not too different from the likelihood of obtaining the same answer on adjacent databases, i.e. databases which differ from x for only one individual. Information flow is an area of Security concerned with the problem of controlling the leakage of confidential information in programs and protocols. Nowadays, one of the most established approaches to quantify and to reason about leakage is based on the Rényi min entropy version of information theory. In this paper, we analyze critically the notion of differential privacy in light of the conceptual framework provided by the Rényi min information theory. We show that there is a close relation between differential privacy and leakage, due to the graph symmetries induced by the adjacency relation. Furthermore, we consider the utility of the randomized answer, which measures its expected degree of accuracy. We focus on certain kinds of utility functions called “binary”, which have a close correspondence with the Rényi min mutual information. Again, it turns out that there can be a tight correspondence between differential privacy and utility, depending on the symmetries induced by the adjacency relation and by the query. Depending on these symmetries we can also build an optimalutility randomization mechanism while preserving the required level of differential privacy. Our main contribution is a study of the kind of structures that can be induced by the adjacency relation and the query, and how to use them to derive bounds on the leakage and achieve the optimal utility. 1
Quantifying Information Flow Using MinEntropy
"... Quantitative theories of information flow are of growing interest, due to the fundamental importance of protecting confidential information from improper disclosure, together with the unavoidability of “small” leaks in practical systems. But while it is tempting to measure leakage using classic inf ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
Quantitative theories of information flow are of growing interest, due to the fundamental importance of protecting confidential information from improper disclosure, together with the unavoidability of “small” leaks in practical systems. But while it is tempting to measure leakage using classic informationtheoretic concepts like Shannon entropy and mutual information, these turn out not to provide very satisfactory security guarantees. As a result, several researchers have developed an alternative theory based on Rényi’s minentropy. In this theory, uncertainty is measured in terms of a random variable’s vulnerability to being guessed in one try by an adversary; note that this is the complement of the Bayes Risk. In this paper, we survey the main theory of minentropy leakage in deterministic and probabilistic systems, including comparisons with mutual information leakage, results on mincapacity, results on channels in cascade, and techniques for calculating minentropy leakage in systems.
Broadening the scope of Differential Privacy Using Metrics ⋆
, 2013
"... Abstract. Differential Privacy is one of the most prominent frameworks used to deal with disclosure prevention in statistical databases. It provides a formal privacy guarantee, ensuring that sensitive information relative to individuals cannot be easily inferred by disclosing answers to aggregate qu ..."
Abstract

Cited by 12 (6 self)
 Add to MetaCart
(Show Context)
Abstract. Differential Privacy is one of the most prominent frameworks used to deal with disclosure prevention in statistical databases. It provides a formal privacy guarantee, ensuring that sensitive information relative to individuals cannot be easily inferred by disclosing answers to aggregate queries. If two databases are adjacent, i.e. differ only for an individual, then the query should not allow to tell them apart by more than a certain factor. This induces a bound also on the distinguishability of two generic databases, which is determined by their distance on the Hamming graph of the adjacency relation. In this paper we explore the implications of differential privacy when the indistinguishability requirement depends on an arbitrary notion of distance. We show that we can naturally express, in this way, (protection against) privacy threats that cannot be represented with the standard notion, leading to new applications of the differential privacy framework. We give intuitive characterizations of these threats in terms of Bayesian adversaries, which generalize two interpretations of (standard) differential privacy from the literature. We revisit the wellknown results stating that universally optimal mechanisms exist only for counting queries: We show that, in our extended setting, universally optimal mechanisms exist for other queries too, notably sum, average, and percentile queries. We explore various applications of the generalized definition, for statistical databases as well as for other areas, such that geolocation and smart metering. 1
Differential Privacy: on the tradeoff between Utility and Information Leakage
, 2011
"... Differential privacy is a notion of privacy that has become very popular in the database community. Roughly, the idea is that a randomized query mechanism provides sufficient privacy protection if the ratio between the probabilities that two adjacent datasets give the same answer is bound by e ǫ. ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
(Show Context)
Differential privacy is a notion of privacy that has become very popular in the database community. Roughly, the idea is that a randomized query mechanism provides sufficient privacy protection if the ratio between the probabilities that two adjacent datasets give the same answer is bound by e ǫ. In the field of information flow there is a similar concern for controlling information leakage, i.e. limiting the possibility of inferring the secret information from the observables. In recent years, researchers have proposed to quantify the leakage in terms of minentropy leakage, a concept strictly related to the Bayes risk. In this paper, we show how to model the query system in terms of an informationtheoretic channel, and we compare the notion of differential privacy with that of minentropy leakage. We show that differential privacy implies a bound on the minentropy leakage, but not viceversa. Furthermore, we show that our bound is tight. Then, we consider the utility of the randomization mechanism, which represents how close the randomized answers are to the real ones, in average. We show that the notion of differential privacy implies a bound on utility, also tight, and we propose a method that under certain conditions builds an optimal randomization mechanism, i.e. a mechanism which provides the best utility while guaranteeing ǫdifferential privacy.
MinEntropy as a Resource
"... Secrecy is fundamental to computer security, but real systems often cannot avoid leaking some secret information. For this reason, it is useful to model secrecy quantitatively, thinking of it as a “resource ” that may be gradually “consumed ” by a system. In this paper, we explore this intuition thr ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
Secrecy is fundamental to computer security, but real systems often cannot avoid leaking some secret information. For this reason, it is useful to model secrecy quantitatively, thinking of it as a “resource ” that may be gradually “consumed ” by a system. In this paper, we explore this intuition through several dynamic and static models of secrecy consumption, ultimately focusing on (average) vulnerability and minentropy leakage as especially useful models of secrecy consumption. We also consider several composition operators that allow smaller systems to be combined into a larger system, and explore the extent to which the secrecy consumption of a combined system is constrained by the secrecy consumption of its constituents.
MinEntropy Leakage of Channels in Cascade
"... Abstract. Theories of quantitative information flow offer an attractive framework for analyzing confidentiality in practical systems, which often cannot avoid “small ” leaks of confidential information. Recently there has been growing interest in the theory of minentropy leakage, which measures unc ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Theories of quantitative information flow offer an attractive framework for analyzing confidentiality in practical systems, which often cannot avoid “small ” leaks of confidential information. Recently there has been growing interest in the theory of minentropy leakage, which measures uncertainty based on a random variable’s vulnerability to being guessed in one try by an adversary. Here we contribute to this theory by studying the minentropy leakage of systems formed by cascading two channels together, using the output of the first channel as the input to the second channel. After considering the semantics of cascading carefully and exposing some technical subtleties, we prove that the minentropy leakage of a cascade of two channels cannot exceed the leakage of the first channel; this result is a minentropy analogue of the classic dataprocessing inequality. We show however that a comparable bound does not hold for the second channel. We then consider the mincapacity, or maximum leakage over all a priori distributions, showing that the mincapacity of a cascade of two channels cannot exceed the mincapacity of either channel. 1
πBox: A Platform for PrivacyPreserving Apps
"... We present πBox, a new application platform that prevents apps from misusing information about their users. To strike a useful balance between users ’ privacy and apps ’ functional needs, πBox shifts much of the responsibility for protecting privacy from the app and its users to the platform itself. ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
We present πBox, a new application platform that prevents apps from misusing information about their users. To strike a useful balance between users ’ privacy and apps ’ functional needs, πBox shifts much of the responsibility for protecting privacy from the app and its users to the platform itself. To achieve this, πBox deploys (1) a sandbox that spans the user’s device and the cloud, (2) specialized storage and communication channels that enable common app functionalities, and (3) an adaptation of recent theoretical algorithms for differential privacy under continual observation. We describe a prototype implementation of πBox and show how it enables a wide range of useful apps with minimal performance overhead and without sacrificing user privacy. 1
Quantitative Information Flow and applications to Differential Privacy
, 2011
"... Secure information flow is the problem of ensuring that the information made publicly available by a computational system does not leak information that should be kept secret. Since it is practically impossible to avoid leakage entirely, in recent years there has been a growing interest in consider ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Secure information flow is the problem of ensuring that the information made publicly available by a computational system does not leak information that should be kept secret. Since it is practically impossible to avoid leakage entirely, in recent years there has been a growing interest in considering the quantitative aspects of information flow, in order to measure and compare the amount of leakage. Information theory is widely regarded as a natural framework to provide firm foundations to quantitive information flow. In this notes we review the two main informationtheoretic approaches that have been investigated: the one based on Shannon entropy, and the one based on Rényi minentropy. Furthermore, we discuss some applications in the area of privacy. In particular, we consider statistical databases and the recentlyproposed notion of differential privacy. Using the informationtheoretic view, we discuss the bound that differential privacy induces on leakage, and the tradeoff between utility and privacy.