Metrics for Differential Privacy in Concurrent Systems

Originally proposed for privacy protection in the context of statistical databases, differential privacy is now widely adopted in various models of computation. In this paper we investigate techniques for proving differential privacy in the context of concurrent systems. Our motivation stems from the work of Tschantz et al., who proposed a verification method based on proving the existence of a stratified family between states, that can track the privacy leakage, ensuring that it does not exceed a given leakage budget. We improve this technique by investigating a state property which is more permissive and still implies differential privacy. We consider two pseudometrics on probabilistic automata: The first one is essentially a reformulation of the notion proposed by Tschantz et al. The second one is a more liberal variant, relaxing the relation between them by integrating the notion of amortisation, which results into a more parsimonious use of the privacy budget. We show that the metrical closeness of automata guarantees the preservation of differential privacy, which makes the two metrics suitable for verification. Moreover we show that process combinators are non-expansive in this pseudometric framework. We apply the pseudometric framework to reason about the degree of differential privacy of protocols by the example of the Dining Cryptographers Protocol with biased coins.

[1]  John Derrick,et al.  Formal Techniques for Networked and Distributed Systems - FORTE 2007, 27th IFIP WG 6.1 International Conference, Tallinn, Estonia, June 27-29, 2007, Proceedings , 2007, FORTE.

[2]  Catuscia Palamidessi,et al.  Making Random Choices Invisible to the Scheduler , 2007, CONCUR.

[3]  Cynthia Dwork,et al.  Differential Privacy , 2006, ICALP.

[4]  Ana Sokolova,et al.  Probabilistic Anonymity and Admissible Schedulers , 2007, ArXiv.

[5]  Astrid Kiehn,et al.  Amortised Bisimulations , 2005, FORTE.

[6]  Kim G. Larsen,et al.  Bisimulation through Probabilistic Testing , 1991, Inf. Comput..

[7]  Lili Xu,et al.  Modular Reasoning about Differential Privacy in a Probabilistic Process Calculus , 2012, TGC.

[8]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[9]  Jun Pang,et al.  Measuring Anonymity with Relative Entropy , 2006, Formal Aspects in Security and Trust.

[10]  Chunyan Mu,et al.  Measuring Information Flow in Reactive Processes , 2009, ICICS.

[11]  Martín Abadi,et al.  A Calculus for Cryptographic Protocols: The spi Calculus , 1999, Inf. Comput..

[12]  Catuscia Palamidessi,et al.  Compositional methods for information-hiding † , 2008, Mathematical Structures in Computer Science.

[13]  A. Tarski A LATTICE-THEORETICAL FIXPOINT THEOREM AND ITS APPLICATIONS , 1955 .

[14]  George Danezis,et al.  Verified Computational Differential Privacy with Applications to Smart Metering , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[15]  Kim G. Larsen,et al.  On Modal Refinement and Consistency , 2007, CONCUR.

[16]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[17]  James Worrell,et al.  An Algorithm for Quantitative Verification of Probabilistic Transition Systems , 2001, CONCUR.

[18]  Theo Dimitrakos,et al.  Formal Aspects in Security and Trust, Fourth International Workshop, FAST 2006, Hamilton, Ontario, Canada, August 26-27, 2006, Revised Selected Papers , 2007, Formal Aspects in Security and Trust.

[19]  Walter Vogler,et al.  Bisimulation on speed: A unified approach , 2006, Theor. Comput. Sci..

[20]  David Chaum,et al.  The dining cryptographers problem: Unconditional sender and recipient untraceability , 1988, Journal of Cryptology.

[21]  Michele Boreale Quantifying information leakage in process calculi , 2009, Inf. Comput..

[22]  Benjamin C. Pierce,et al.  Distance makes the types grow stronger: a calculus for differential privacy , 2010, ICFP '10.

[23]  Roberto Gorrieri,et al.  Classification of Security Properties (Part I: Information Flow) , 2000, FOSAD.

[24]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[25]  Jianying Zhou,et al.  Information and Communications Security , 2013, Lecture Notes in Computer Science.

[26]  Ian Stark,et al.  Free-Algebra Models for the pi-Calculus , 2005, FoSSaCS.

[27]  Roberto Gorrieri,et al.  Foundations of Security Analysis and Design VII , 2014, Lecture Notes in Computer Science.

[28]  Catuscia Palamidessi,et al.  Broadening the Scope of Differential Privacy Using Metrics , 2013, Privacy Enhancing Technologies.

[29]  Nancy A. Lynch,et al.  Using Task-Structured Probabilistic I/O Automata to Analyze an Oblivious Transfer Protocol , 2006 .

[30]  Andreas Haeberlen,et al.  Linear dependent types for differential privacy , 2013, POPL.

[31]  Vitaly Shmatikov,et al.  De-anonymizing Social Networks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[32]  Tom Chothia,et al.  Metrics for Action-labelled Quantitative Transition Systems , 2006, QAPL.

[33]  Fernando Rosa-Velardo,et al.  New Bisimulation Semantics for Distributed Systems , 2007, FORTE.

[34]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[35]  Jane Hillston,et al.  Challenges for Quantitative Analysis of Collective Adaptive Systems , 2013, TGC.

[36]  Geoffrey Smith,et al.  Probabilistic noninterference through weak probabilistic bisimulation , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[37]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[38]  Dilsun Kirli Kaynar,et al.  Formal Verification of Differential Privacy for Interactive Systems , 2011, ArXiv.

[39]  Peter Y. A. Ryan,et al.  Process algebra and non-interference , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[40]  Scott A. Smolka,et al.  Equivalences, Congruences, and Complete Axiomatizations for Probabilistic Processes , 1990, CONCUR.

[41]  Farn Wang Formal Techniques for Networked and Distributed Systems - FORTE 2005, 25th IFIP WG 6.1 International Conference, Taipei, Taiwan, October 2-5, 2005, Proceedings , 2005, FORTE.

[42]  Ana Sokolova,et al.  Information Hiding in Probabilistic Concurrent Systems , 2010, 2010 Seventh International Conference on the Quantitative Evaluation of Systems.

[43]  Radha Jagadeesan,et al.  The metric analogue of weak bisimulation for probabilistic processes , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[44]  Gilles Barthe,et al.  Probabilistic Relational Reasoning for Differential Privacy , 2012, TOPL.

[45]  Ashwin Machanavajjhala,et al.  Privacy: Theory meets Practice on the Map , 2008, 2008 IEEE 24th International Conference on Data Engineering.