Download   Report
  1. No category

Verifiable Differential Privacy

Arjun Narayan
Andreas Haeberlen
privacy.cis.upenn.edu
Verifiable Differential Privacy
{narayana,ahae} @ cis.upenn.edu
Ariel Feldman
What is the Problem?
Differential Privacy
Doris
Elbonia
Bob
Cancer
Hank
Elbonia
Doris
Malaria
Publication
Hank
Malaria
Emil
Bob
Paris
...
...
HIV
...
...
Doctors
Airlines
Subjects
Greg
Curator
Analyst
Readers
2. Sometimes queries span multiple private
databases,
and
existing
solutions
don’t
work.
Privacy requirements can be very
strict: medical or census data is
extremely sensitive.
Insight: Use Set Intersections
Some Joins can be rewritten as set intersections.
SELECT COUNT(X) FROM HOSPITAL JOIN AIRLINE
WHERE Destination= “Elbonia” AND Diagnosis = “Malaria”
Verifiable Computing
Insight: Verifiable computing allows
∩proofs
us to generate zero-knowledge
of correct execution.
Doris
Elbonia
Bob
Cancer
Hank
Elbonia
Doris
Malaria
Emil
Vegas
Hank
Malaria
Bob
Paris
Greg
HIV
Charlie Elbonia
Who went to Elbonia?
Data Alice
Data set
Malaria
Who had Malaria?
Subjects
Curator
Doris
Hank
Hank
Charlie
Alice
Publication
=
Doris
Hank
=2
Publication
Analyst
Readers
We modify existing private set intersection
Subjects[Freedman
Curator
algorithms
et al Analyst
2004] to Readers
run our
queries
in a differentially
private
fashion. that
Challenge:
We need
to ensure
Proof
Challenge: Verifying Results
Idea 1: Give all the
Idea 2: Use Secure
Idea 3: Use PDDP
Privacy
requirements
hinder
key
data to a trusted party
Multiparty Computation
[NSDI 2012]
elements of the scientific process:
PDDP
reproducibility and verifiability.
Trusty Tim
DB
Solution: Publish differentially private
results, so individuals are protected.
Systems
like
Fuzz
and
PINQ
exist.
Rewriting JOIN queries
SELECT NOISY COUNT(A.ssn) FROM A,B WHERE
(A.ssn=B.ssn OR A.id=B.id) AND A.diagnosis= ‘malaria’
Rewriting Fuzz Programs
Original non-private query
Rewritten query using private primitives
Key idea: 1) Rewrite Fuzz programs into
−
circuits that
are private.
+
∪
2) Verify
the
| ∩ | computed
|∩|
|∩|
σ
σ circuit was
π
π
π
π
properly
using Pantryπ π
σ
Challenge: Performance.
σ
Solution:
Exploit
the structure
of
typical
A
B
A
B
programs to parallelize.
|⋅|
A.ssn=B.ssn
A.id=B.id
ssn
id
ssn
id
ssn,id
ssn,id
diag='malaria'
A single JOIN query may use multiple set intersections.
+
Ask me for details!
+
over_40
sample
count
Commitments
+
generating proofs is efficient, and
that the proof objects preserve
privacy.
+
+
+
+
Data set
Map tiles
+
+
Data set
Data
Result:
How it works: Add carefully
Provable privacy guarantees.
calculated
Get to use thenoise
data! to query results.
A.diag='malaria'
Data set
Data
Doris
1
is
okay to answer only queries that are
How does it work?
limited
to aggregates.
Adds
carefully
calculated noise to query result.
Existing differential privacy runtimes like PINQ
and Fuzz are limited to a single database.
+
Doris
Elbonia
Bob
Cancer
Hank
Elbonia
Doris
Malaria
Emil
Vegas
Hank
Malaria
Bob
Paris
Subjects
Greg
...
...
HIV
...
Publication
Curator
Analyst
Doris
Elbonia
Bob
Paris
Hank
Elbonia
Readers
Greg
HIV
What if we don’t
have one?
Feste
Cancer
Not designed
for JOIN queries.
It will take years.
Noise gives a fraudulent analyst
plausible deniability when forging
data. Privacy restrictions mean we
cannot
say
“show
me
the
data”.
How does DJoin Perform?
Simple queries on three databases with 15,000
rows each take between 1 and 7.5 hours.
Previous best was Secure Multiparty
Computation - i.e. years.
How does it perform?
500
400
Our example
queries on databases
300
with 65k
rows took under two hours
200
to generate private results and
100
proofs, but is highly parallelizable.
0
Q1
Q2
Q3
Q4
Q5
First distributed differentially private system
capable of executing JOIN queries.
Scalable: All operations parallelize very well.
Extensible to multi-way JOINs ≥3 parties.
120
100
80
60
40
20
Map
Map
Map
Over_40 Webserver Census
Map
K-means
Reduce
Noising
+
Noising tile
Vegas
...
0
Reduce tiles
Emil
Completion time
(minutes)
Some scientific studies require private
“Is there a Malaria epidemic in Elbonia?”
data to prove their hypotheses.
Challenge: Distributed Data
Key idea:
To protect individuals, It is okay to answer only
questions
that To
are protect
about aggregates.
Key idea:
individuals, it
1 Useful information exists in various
databases today, but getting access is hard
because the data is private.
Researcher
Data set
Andreas Haeberlen
Differential Privacy
What is the problem?
Vegas Data
Antonis Papadimitriou
Proof generation time (minutes)
Arjun Narayan
Verification takes seconds.
Malaria Research at Eijkman During Elimination Era

Malaria Research at Eijkman During Elimination Era

Privacy Act Data Cover Sheet DOCUMENTS ENCLOSED ARE SUBJECT

Privacy Act Data Cover Sheet DOCUMENTS ENCLOSED ARE SUBJECT

Table 1.46: Health Facilities in the Nkoranza South District S/N Location

Table 1.46: Health Facilities in the Nkoranza South District S/N Location

Mobile PCR Laboratory in Cambodia: developing migrant friendly

Mobile PCR Laboratory in Cambodia: developing migrant friendly

presentation

presentation

Target malaria elimination intervention in China using spatial

Target malaria elimination intervention in China using spatial

Welcome to the Laboratory for Microscopy and Microanalysis

Welcome to the Laboratory for Microscopy and Microanalysis

Privacy Policy - cretronix.co.uk

Privacy Policy - cretronix.co.uk

Joseph M. Bowen, M.D. Annette L. Asper, D.N.P. Seth T. Rosenthal

Joseph M. Bowen, M.D. Annette L. Asper, D.N.P. Seth T. Rosenthal

Fall 2014/2015 IS 493 Syllabus Instructor: Dr. Saad Alaboodi Office

Fall 2014/2015 IS 493 Syllabus Instructor: Dr. Saad Alaboodi Office

abcdocz.com

© Copyright 2024