Preserving differential privacy under finite-precision semantics

The approximation introduced by finite-precision representation of continuous data can induce ar- bitrarily large information leaks even when the computation using exact semantics is secure. Such leakage can thus undermine design efforts aimed at protecting sensitive information. We focus here on differential privacy, an approach to privacy that emerged from the area of statistical databases and is now widely applied also in other domains. In this approach, privacy is protected by the addition of noise to a true (private) value. To date, this approach to privacy has been proved correct only in the ideal case in which computations are made using an idealized, infinite-precision semantics. In this paper, we analyze the situation at the implementation level, where the semantics is necessarily finite- precision, i.e. the representation of real numbers and the operations on them, are rounded according to some level of precision. We show that in general there are violations of the differential privacy property, and we study the conditions under which we can still guarantee a limited (but, arguably, totally acceptable) variant of the property, under only a minor degradation of the privacy level. Fi- nally, we illustrate our results on two cases of noise-generating distributions: the standard Laplacian mechanism commonly used in differential privacy, and a bivariate version of the Laplacian recently introduced in the setting of privacy-aware geolocation.

[1]  Catuscia Palamidessi,et al.  Geo-indistinguishability: differential privacy for location-based systems , 2012, CCS.

[2]  Andreas Haeberlen,et al.  Linear dependent types for differential privacy , 2013, POPL.

[3]  W. Rudin Real and complex analysis , 1968 .

[4]  Thierry Champion,et al.  The ∞-Wasserstein Distance: Local Solutions and Existence of Optimal Transport Maps , 2008, SIAM J. Math. Anal..

[5]  Pasquale Malacaria,et al.  Assessing security threats of looping constructs , 2007, POPL '07.

[6]  James Demmel,et al.  IEEE Standard for Floating-Point Arithmetic , 2008 .

[7]  Prakash Panangaden,et al.  Anonymity protocols as noisy channels , 2006, Inf. Comput..

[8]  Catuscia Palamidessi,et al.  Broadening the Scope of Differential Privacy Using Metrics , 2013, Privacy Enhancing Technologies.

[9]  Ilya Mironov,et al.  On significance of the least significant bits for differential privacy , 2012, CCS.

[10]  David Clark,et al.  Quantified Interference for a While Language , 2005, QAPL.

[11]  Vitaly Shmatikov,et al.  De-anonymizing Social Networks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[12]  Shen-Shyang Ho,et al.  Differential privacy for location pattern mining , 2011, SPRINGL '11.

[13]  Dale Miller,et al.  A non-local method for robustness analysis of floating point programs , 2012, QAPL.

[14]  Sumit Gulwani,et al.  Proving programs robust , 2011, ESEC/FSE '11.

[15]  Cynthia Dwork,et al.  Differential Privacy , 2006, ICALP.

[16]  Joseph R. Cavallaro,et al.  Numerical Accuracy and Hardware Tradeoffs for CORDIC Arithmetic for Special-Purpose Processors , 1993, IEEE Trans. Computers.

[17]  Avraham Adler,et al.  Lambert-W Function , 2015 .

[18]  Ashwin Machanavajjhala,et al.  Privacy: Theory meets Practice on the Map , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[19]  Ed F. Deprettere,et al.  Floating point Cordic , 1993, Proceedings of IEEE 11th Symposium on Computer Arithmetic.

[20]  Catuscia Palamidessi,et al.  Quantitative Notions of Leakage for One-try Attacks , 2009, MFPS.

[21]  Geoffrey Smith,et al.  On the Foundations of Quantitative Information Flow , 2009, FoSSaCS.

[22]  Gilles Barthe,et al.  Probabilistic Relational Reasoning for Differential Privacy , 2012, TOPL.

[23]  ADAM B. LEVY,et al.  Solution Sensitivity from General Principles , 2001, SIAM J. Control. Optim..

[24]  Cynthia Dwork,et al.  Calibrating Noise to Sensitivity in Private Data Analysis , 2006, TCC.

[25]  Mário S. Alvim,et al.  Measuring Information Leakage Using Generalized Gain Functions , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.