Differentially Private Aggregation of Distributed Time ...rlu1/slide/20131019lechen.pdf ·...
Transcript of Differentially Private Aggregation of Distributed Time ...rlu1/slide/20131019lechen.pdf ·...
Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion
Differentially Private Aggregation of DistributedTime-series with Transformation and Encryption
Part 3 — Differentially Private Aggregation
presenter: Le Chen
Nanyang Technological University
October 20, 2013
presenter: Le Chen Nanyang Technological University [email protected]
Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption
Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion
Introduction
Outline
Introduction
Basic Ideas
The Proposed Protocol
Conclusion & Discussion
presenter: Le Chen Nanyang Technological University [email protected]
Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption
Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion
Introduction
Reference
Cynthia Dwork.Differential Privacy.Invited talk at ICALP, Venice, Italy, July 10-14, 2006.Automata, Languages and Programming, Lecture Notes inComputer Science Volume 4052, 2006, pp 1-12.
Wikipedia.<http:
//en.wikipedia.org/wiki/Differential_privacy>
Elaine Shi, T-H. Hubert Chan, Eleanor Rieffel, Richard Chowand Dawn Song.Privacy-Preserving Aggregation of Time-Series Data.In Network and Distributed System Security Symposium(NDSS), 2011.
presenter: Le Chen Nanyang Technological University [email protected]
Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption
Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion
Introduction
Reference
T-H. Hubert Chan, Elaine Shi, and Dawn SongPrivacy-Preserving Stream Aggregation with Fault Tolerance.16th International Conference, FC 2012, Kralendijk, Bonaire,Februray 27-March 2, 2012. Financial Cryptography and DataSecurity, Lecture Notes in Computer Science Volume 7397,2012, pp 200-214.
Vibhor Rastogi, Suman NathDifferentially Private Aggregation of Distributed Time-serieswith Transformation and Encryption.ACM SIGMOD 2010, New York, NY. Proceedings of the 2010ACM SIGMOD International Conference on Management ofData, pages 735-746.
presenter: Le Chen Nanyang Technological University [email protected]
Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption
Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion
Motivation
Motivation of Aggregation
model.jpg
presenter: Le Chen Nanyang Technological University [email protected]
Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption
Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion
Motivation
System Model
I I = I1 ∪ I2 · · · ∪ IU
I nbrs(I ): the data obtained from adding/removing one user’sdata from I .
I Q = {Q1,Q2, · · ·Qn}
I Q(I ) = {Q1(I ),Q2(I ), · · ·Qn(I )}
presenter: Le Chen Nanyang Technological University [email protected]
Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption
Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion
Distributed Differential Privacy
Differential Privacy
I For all I , and I ′ ∈ nbrs(I )
Pr [A(I )] = x ≤ eεPr [A(I ′) = x ]
I Sensitivity: ∆(Q) = max |Q(I )− Q(I ′)|
I Laplace noise: LAP(λ)
presenter: Le Chen Nanyang Technological University [email protected]
Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption
Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion
Distributed Differential Privacy
Laplace Perturbation Algorithm
I Laplace Perturbation Algorithm (LPA):LPA(Q, λ) is ε-differentially private for λ = ∆(Q)/ε
I Error: error(LPA) = ∆(Q)/ε
presenter: Le Chen Nanyang Technological University [email protected]
Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption
Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion
Distributed Differential Privacy
Distributed LPA
I Let xu be the value of user u, the aggregate-sum queryQ(I ) =
∑Uu=1 xu.
I Perturb: each user u adds a share of noise, nu, to his privatevalue xu.
I To keep the estimation error small, the noise shares arechosen such that
∑Uu=1 nu is sufficient for differential privacy,
but nu alone is not sufficient: thus the value xu + nu can notdirectly be sent to the aggregator.
presenter: Le Chen Nanyang Technological University [email protected]
Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption
Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion
Distributed Differential Privacy
Basic Distributed Protocol
protocol.jpg
presenter: Le Chen Nanyang Technological University [email protected]
Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption
Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion
Distributed Differential Privacy
Challenges
I The noise shares have to be generated in a way so that theirsum is sufficient for differential privacy.
I The aggregator can be malicious: the aggregator can cheatand request the decryption of wrong values, for instance, theencrypted private value of a single user, in which case theusers will be inadvertently decrypting the private value of thatuser.
presenter: Le Chen Nanyang Technological University [email protected]
Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption
Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion
Distributed Decryption
Basics: Encryption Scheme
Paillier Encryption
I Parameters: private key λ, public key N, g , gλ.
I Encryption: c = g trN
I Decryption: let L(u) = (u − 1)/N, Dec(c) = L(cλ mod N2)L(gλ mod N2)
.
presenter: Le Chen Nanyang Technological University [email protected]
Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption
Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion
Distributed Decryption
Basics: Encryption Scheme
I Distributed decryption: Suppose the private key λ is shared byU users as λ =
∑u λu where λu is the private key for user u.
I Each user u computes his decryption share cu = cλu .
I The decryption shares are combined as c ′ =∏U
u=1 cu.
I Finally the decryption t = L(c ′ mod N2)L(gλ mod N2)
is computed.
presenter: Le Chen Nanyang Technological University [email protected]
Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption
Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion
Computing Exact Sum
Protocol for Computing Exact Sum
I Encrypt-Sum(xu, ru): each user u encrypts his private value,xu, added to a randomly generated ru. Note that ru is knownonly to user u.
I The aggregator obtains all the encryptions and multiples themto compute c . Due to the homomorphic properties of theencryption, the obtained c is an encryption of∑U
u=1(xu + ru) = Q +∑U
u=1 ru.
I Modified distributed decryption: Decrypt-Sum(c , ru).
presenter: Le Chen Nanyang Technological University [email protected]
Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption
Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion
Computing Exact Sum
Protocol for Computing Exact Sum
Decrypt-Sum(c , ru)
I The aggregator sends c to each user u for decryption.
I User u computes decryption share c ′u = cλug−ruλ.
I The aggregator collects c ′u from each user, combines them toget c ′ =
∏Uu=1 c ′u, and computes the final decryption
Q = L(c ′ mod N2)L(gλ mod N2)
.
I Except for∑U
u=1 xu, no other linear combinations can becomputed.
presenter: Le Chen Nanyang Technological University [email protected]
Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption
Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion
Computing Noisy Sum
Protocol for Computing Noisy Sum
I Remember that LPA requires us to compute Q̃ = Q + Lap(λ)
I Let Yi ∼ N(0, λ) for i ∈ {1, 2, 3, 4} be four Gaussian randomvariables. Then Z = Y 2
1 + Y 22 − Y 2
3 − Y 24 is a Lap(2λ2)
random variable.
presenter: Le Chen Nanyang Technological University [email protected]
Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption
Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion
Computing Noisy Sum
Encrypt Noisy Sum
noisy sum.jpg
presenter: Le Chen Nanyang Technological University [email protected]
Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption
Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion
Computing Noisy Sum
Encrypt Sum Squared
sum squared.jpg
where a =∑
u au, Enc(a2) is computed and made public(How?),and
∑u bu = 0.
presenter: Le Chen Nanyang Technological University [email protected]
Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption
Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion
Computing Noisy Sum
Theorem
presenter: Le Chen Nanyang Technological University [email protected]
Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption
Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion
Conclusion & Discussion
Conclusion & Discussion
I We introduced an aggregation protocol supports distributeddifferential privacy and distributed decryption.
I The distributed algorithms need interaction.
I In the decryption of exact sum Decrypt-Sum, can we changeru to ru − nu such that a noise is left in the sum?
I In the extension part, the paper indicates that it can support’fault tolerant’ with threshold decryption. However, will itcause privacy problems?
presenter: Le Chen Nanyang Technological University [email protected]
Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption