Differentially Private Aggregation of Distributed Time ...rlu1/slide/20131019lechen.pdf ·...

Introduction Basic Ideas The Proposed Protocol Conclusion & Discussion

Differentially Private Aggregation of DistributedTime-series with Transformation and Encryption

Part 3 — Differentially Private Aggregation

presenter: Le Chen

Nanyang Technological University

[email protected]

October 20, 2013

presenter: Le Chen Nanyang Technological University [email protected]

Differentially Private Aggregation of Distributed Time-series with Transformation and Encryption


Introduction

Outline

Introduction

Basic Ideas

The Proposed Protocol

Conclusion & Discussion




Introduction

Reference

Cynthia Dwork.Differential Privacy.Invited talk at ICALP, Venice, Italy, July 10-14, 2006.Automata, Languages and Programming, Lecture Notes inComputer Science Volume 4052, 2006, pp 1-12.

Wikipedia.<http:

//en.wikipedia.org/wiki/Differential_privacy>

Elaine Shi, T-H. Hubert Chan, Eleanor Rieffel, Richard Chowand Dawn Song.Privacy-Preserving Aggregation of Time-Series Data.In Network and Distributed System Security Symposium(NDSS), 2011.



<http://en.wikipedia.org/wiki/Differential_privacy>

<http://en.wikipedia.org/wiki/Differential_privacy>


Introduction

Reference

T-H. Hubert Chan, Elaine Shi, and Dawn SongPrivacy-Preserving Stream Aggregation with Fault Tolerance.16th International Conference, FC 2012, Kralendijk, Bonaire,Februray 27-March 2, 2012. Financial Cryptography and DataSecurity, Lecture Notes in Computer Science Volume 7397,2012, pp 200-214.

Vibhor Rastogi, Suman NathDifferentially Private Aggregation of Distributed Time-serieswith Transformation and Encryption.ACM SIGMOD 2010, New York, NY. Proceedings of the 2010ACM SIGMOD International Conference on Management ofData, pages 735-746.




Motivation

Motivation of Aggregation

model.jpg




Motivation

System Model

I I = I1 ∪ I2 · · · ∪ IU

I nbrs(I ): the data obtained from adding/removing one user’sdata from I .

I Q = {Q1,Q2, · · ·Qn}

I Q(I ) = {Q1(I ),Q2(I ), · · ·Qn(I )}




Distributed Differential Privacy

Differential Privacy

I For all I , and I ′ ∈ nbrs(I )

Pr [A(I )] = x ≤ eεPr [A(I ′) = x ]

I Sensitivity: ∆(Q) = max |Q(I )− Q(I ′)|

I Laplace noise: LAP(λ)





Laplace Perturbation Algorithm

I Laplace Perturbation Algorithm (LPA):LPA(Q, λ) is ε-differentially private for λ = ∆(Q)/ε

I Error: error(LPA) = ∆(Q)/ε





Distributed LPA

I Let xu be the value of user u, the aggregate-sum queryQ(I ) =

∑Uu=1 xu.

I Perturb: each user u adds a share of noise, nu, to his privatevalue xu.

I To keep the estimation error small, the noise shares arechosen such that

∑Uu=1 nu is sufficient for differential privacy,

but nu alone is not sufficient: thus the value xu + nu can notdirectly be sent to the aggregator.





Basic Distributed Protocol

protocol.jpg





Challenges

I The noise shares have to be generated in a way so that theirsum is sufficient for differential privacy.

I The aggregator can be malicious: the aggregator can cheatand request the decryption of wrong values, for instance, theencrypted private value of a single user, in which case theusers will be inadvertently decrypting the private value of thatuser.




Distributed Decryption

Basics: Encryption Scheme

Paillier Encryption

I Parameters: private key λ, public key N, g , gλ.

I Encryption: c = g trN

I Decryption: let L(u) = (u − 1)/N, Dec(c) = L(cλ mod N2)L(gλ mod N2)

.




Distributed Decryption

Basics: Encryption Scheme

I Distributed decryption: Suppose the private key λ is shared byU users as λ =

∑u λu where λu is the private key for user u.

I Each user u computes his decryption share cu = cλu .

I The decryption shares are combined as c ′ =∏U

u=1 cu.

I Finally the decryption t = L(c ′ mod N2)L(gλ mod N2)

is computed.




Computing Exact Sum

Protocol for Computing Exact Sum

I Encrypt-Sum(xu, ru): each user u encrypts his private value,xu, added to a randomly generated ru. Note that ru is knownonly to user u.

I The aggregator obtains all the encryptions and multiples themto compute c . Due to the homomorphic properties of theencryption, the obtained c is an encryption of∑U

u=1(xu + ru) = Q +∑U

u=1 ru.

I Modified distributed decryption: Decrypt-Sum(c , ru).




Computing Exact Sum

Protocol for Computing Exact Sum

Decrypt-Sum(c , ru)

I The aggregator sends c to each user u for decryption.

I User u computes decryption share c ′u = cλug−ruλ.

I The aggregator collects c ′u from each user, combines them toget c ′ =

∏Uu=1 c ′u, and computes the final decryption

Q = L(c ′ mod N2)L(gλ mod N2)

.

I Except for∑U

u=1 xu, no other linear combinations can becomputed.




Computing Noisy Sum

Protocol for Computing Noisy Sum

I Remember that LPA requires us to compute Q̃ = Q + Lap(λ)

I Let Yi ∼ N(0, λ) for i ∈ {1, 2, 3, 4} be four Gaussian randomvariables. Then Z = Y 2

1 + Y 22 − Y 2

3 − Y 24 is a Lap(2λ2)

random variable.




Computing Noisy Sum

Encrypt Noisy Sum

noisy sum.jpg




Computing Noisy Sum

Encrypt Sum Squared

sum squared.jpg

where a =∑

u au, Enc(a2) is computed and made public(How?),and

∑u bu = 0.




Computing Noisy Sum

Theorem






I We introduced an aggregation protocol supports distributeddifferential privacy and distributed decryption.

I The distributed algorithms need interaction.

I In the decryption of exact sum Decrypt-Sum, can we changeru to ru − nu such that a noise is left in the sum?

I In the extension part, the paper indicates that it can support’fault tolerant’ with threshold decryption. However, will itcause privacy problems?



Differentially Private Aggregation of Distributed Time ...rlu1/slide/20131019lechen.pdf ·...

Documents

Transcript of Differentially Private Aggregation of Distributed Time ...rlu1/slide/20131019lechen.pdf ·...