460 likes | 478 Views
Explore the intersection of differential privacy and multi-party computation in safeguarding sensitive data while enabling useful applications. Learn about techniques for protecting individual privacy while allowing data analysis. Discover academic, policy, and practical implications of implementing differential privacy methods. Learn about anonymizing, encrypting, and mediating data access to prevent privacy breaches.
E N D
Multiparty Differential Privacy Salil Vadhan Center for Research on Computation & Society School of Engineering & Applied Sciences Harvard University Differential Privacy Meets Multi-Party Computation (DPMPC) WorkshopBoston UniversityJune 4-5, 2018
Outline • Differential Privacy in the Centralized Model • Multiparty Differential Privacy • Benefits of Differential Privacy & MPC
Data Privacy: The Problem Given a dataset with sensitive information, such as: • Census data • Health records • Social network activity • Telecommunications data How can we: • enable “desirable uses” of the data • while protecting the “privacy” of the data subjects? • Academic research • Informing policy • Identifying subjects for drug trial • Searching for terrorists • Market analysis • … ????
Approach 1: Encrypt the Data Problems?
Approach 2: Anonymize the Data [Sweeney `97] “re-identification” often easy Problems?
Approach 3: Mediate Access C q1 a1 q2 C a2 q3 a3 data analysts trusted “curator” Problems? Even simple “aggregate” statistics can reveal individual info. [Dinur-Nissim `03, Homer et al. `08, Mukatran et al. `11, Dwork et al. `15]
Differential privacy [Dinur-Nissim ’03+Dwork, Dwork-Nissim ’04, Blum-Dwork-McSherry-Nissim ’05, Dwork-McSherry-Nissim-Smith ’06] C q1 a1 q2 C a2 q3 a3 data analysts curator Requirement: effect of each individual should be “hidden”
Differential privacy [Dinur-Nissim ’03+Dwork, Dwork-Nissim ’04, Blum-Dwork-McSherry-Nissim ’05, Dwork-McSherry-Nissim-Smith ’06] C q1 a1 q2 C a2 q3 a3 adversary curator
Differential privacy [Dinur-Nissim ’03+Dwork, Dwork-Nissim ’04, Blum-Dwork-McSherry-Nissim ’05, Dwork-McSherry-Nissim-Smith ’06] C q1 a1 q2 C a2 q3 a3 adversary curator Requirement: an adversary shouldn’t be able totell if any one person’s data were changed arbitrarily
Differential privacy [Dinur-Nissim ’03+Dwork, Dwork-Nissim ’04, Blum-Dwork-McSherry-Nissim ’05, Dwork-McSherry-Nissim-Smith ’06] C q1 a1 q2 C a2 q3 a3 adversary curator Requirement: an adversary shouldn’t be able totell if any one person’s data were changed arbitrarily
Differential privacy [Dinur-Nissim ’03+Dwork, Dwork-Nissim ’04, Blum-Dwork-McSherry-Nissim ’05, Dwork-McSherry-Nissim-Smith ’06] C q1 a1 q2 C a2 q3 a3 adversary curator Requirement: an adversary shouldn’t be able totell if any one person’s data were changed arbitrarily
Simple approach: random noise C “What fraction of people are type B and HIV positive?” M Answer + Noise()) Error as • Very little noise needed to hide each person as • Note: this is just for one query
Differential privacy [Dinur-Nissim ’03+Dwork, Dwork-Nissim ’04, Blum-Dwork-McSherry-Nissim ’05, Dwork-McSherry-Nissim-Smith ’06] C q1 a1 q2 C a2 q3 a3 adversary randomizedcurator Requirement: for all D, D’ differing on one row, and allq1,…,qt Distribution of C(D,q1,…,qt) Distribution of C(D’,q1,…,qt)
Differential privacy [Dinur-Nissim ’03+Dwork, Dwork-Nissim ’04, Blum-Dwork-McSherry-Nissim ’05, Dwork-McSherry-Nissim-Smith ’06] C q1 a1 q2 C a2 q3 a3 adversary randomizedcurator Requirement: for all D, D’ differing on one row, and allq1,…,qt Distribution of C(D,q1,…,qt) Distribution of C(D’,q1,…,qt)
Differential privacy [Dinur-Nissim ’03+Dwork, Dwork-Nissim ’04, Blum-Dwork-McSherry-Nissim ’05, Dwork-McSherry-Nissim-Smith ’06] C q1 a1 q2 C a2 q3 a3 adversary randomizedcurator Requirement: for all D, D’ differing on one row, and allq1,…,qt sets T, Pr[C(D,q1,…,qt)T] (1+) Pr[C(D’,q1,…,qt)T]
Differential privacy [Dinur-Nissim ’03+Dwork, Dwork-Nissim ’04, Blum-Dwork-McSherry-Nissim ’05, Dwork-McSherry-Nissim-Smith ’06] C q1 a1 q2 C a2 q3 a3 adversary randomizedcurator negligible Requirement: for all D, D’ differing on one row, and allq1,…,qt sets T, Pr[C(D,q1,…,qt)T] Pr[C(D’,q1,…,qt)T]
Simple approach: random noise C “What fraction of people are type B and HIV positive?” C Answer + Laplace() Density • Very little noise needed to hide each person as • Note: this is just for one query
Answering multiple queries C “What fraction of people are type B and HIV positive?” C Answer + Laplace() Error if Composition Thm[Dwork-Rothblum-V. `10]: independent -DP algs -DP
Some Differentially Private Algorithms • histograms [DMNS06] • contingency tables [BCDKMT07, GHRU11, TUV12, DNT14], • machine learning [BDMN05,KLNRS08], • regression & statistical estimation [CMS11,S11,KST11,ST12,JT13] • clustering [BDMN05,NRS07] • social network analysis [HLMJ09,GRU11,KRSY11,KNRS13,BBDS13] • approximation algorithms [GLMRT10] • singular value decomposition [HR12, HR13, KT13, DTTZ14] • streaming algorithms [DNRY10,DNPR10,MMNW11] • mechanism design [MT07,NST10,X11,NOS12,CCKMV12,HK12,KPRU12] • … See Simons Institute Workshop on Big Data & Differential Privacy 12/13
Differential Privacy: Interpretations Distribution of C(D,q1,…,qt)Distribution of C(D’,q1,…,qt) • Whatever an adversary learns about me, it could have learned from everyone else’s data. • Mechanism cannot leak “individual-specific” information. • Above interpretations hold regardless of adversary’s auxiliary information. • Composes gracefully (k repetitions ) k differentially private) But • No protection for information that is not localized to a few rows. • No guarantee that subjects won’t be “harmed” by results of analysis.
Amazing possibility: synthetic data [Blum-Ligett-Roth ’08, Hardt-Rothblum `10] Utility: preserves fraction of people with every set of attributes! C C “fake” people Problem: uses computation time exponential in .
Amazing Possibility II: Statistical Inference & Machine Learning Theorem [KLNRS08,S11]: Differential privacy for vast array of machine learning and statistical estimation problems with little loss in convergence rate as . • Optimizations & practical implementations for logistic regression, ERM, LASSO, SVMs in [RBHT09,CMS11,ST13,JT14]. Hypothesisor model about world, e.g. rule for predicting disease from attributes C
Major Deployments of DP Centralized model: • Census “OnTheMap” commuter data (2006) • Census plans: all releases from 2020 Census Multiparty differential privacy: • Google “RAPPOR” for Chrome Statistics (2014) • Apple in iOS10 and Safari (2016)
The Privacy Tools Project http://privacytools.seas.harvard.edu/ Computer Science, Law, Social Science, Statistics Any opinions, findings, and conclusions or recommendations expressed here are those of the author(s) and do not necessarily reflect the views of the funders of the work.
PSI: a Private data-Sharing Interface[Gaboardi-Honaker-King-Murtagh-Nissim-Ullman-Vadhan `16]
m1 m2 m3 2-Party Differential Privacy[Dwork-Nissim `04,…] • each party has a sensitive dataset, want to do a joint computation f(DA,DB) mk-1 mk out(m1,…,mk)f(DA,DB)
m1 m2 m3 2-Party Differential Privacy mk-1 mk 0/1 • (, differential privacy for B: adversary A*, databases DB, D’Bthat differ on one row,Pr[outA*(A*,B(DB))=1] e Pr[outA*(A*,B(D’B))=1] + ) • and similarly for A
Multiparty Differential Privacy Require: adversary P-i*, databases Di, D’ithat differ on one row,Pr[outP-i*(P-i*,Pi(Di))=1] e Pr[outP-i*(P-i*,Pi(D’i))=1] + P-5*` P2(D2) P3(D3) 0/1 P1(D1) P4(D4) P5(D5)
The Local Model[Dwork-Kenthapadi-McSherry-Mironov-Naor `06] P-5*` P2(D2) P3(D3) Require: adversary P-i*, databases Di, D’ithat differ on one row,Pr[outP-i*(P-i*,Pi(Di))=1] e Pr[outP-i*(P-i*,Pi(D’i))=1] + 0/1 P1(D1) P4(D4) P5(D5) parties, each holds a single row (their own data) Implemented by Apple & Google
The Local Model P2(D2) P3(D3) P4(D4) M P1(D1) Pn(Dn) • parties, each holds a single row (their own data) • Often with mediator • untrusted for privacy • trusted for correctness • like broadcast channel & shared public randomness, but different efficiency goals (eg time for )
Multiparty Differential Privacy: variants • Computationally bounded vs. unbounded adversaries (computational vs. information-theoretic security) • Passive/honest-but-curious vs. Active/malicious adversaries • Private communication channels vs. broadcast • Threshold adversaries • Correctness/Fairness/G.O.D. under malicious behavior
Constructing Multiparty DP Protocols Given a function f(D1,…,Dn) we wish to compute • Example: each Di {0,1} and f(D1,…,Dn)=iDi • Step 1: Design a centralized mechanism C • Example: C(D1,…,Dn) = iDi + Lap(1/) • Step 2: Use secure multiparty computation [Yao86,GMW86] to implement C with a distributed protocol (P1,…,Pn). • Adversary’s view can be simulated (up to computational indistinguishability) given only access to “ideal functionality” C computational differential privacy • Can be done more efficiently in specific cases [DKMMN06,BNO08]. • Q: Did we really need computational differential privacy?
Local DP Protocol for SUM:“Randomized Response” [W65] P1,…,Pn have bits D1,… ,Dn {0,1}, want to estimate iDi • Each Pi broadcasts Ni = • Everyone computes Z = (1/)i (Ni-(1-)/2) • Differential Privacy: ((1+)/2)/((1-)/2) = 1+O(). • Accuracy: E[Ni] = (1-)/2+Diwhp error is O(n1/2/) • Nontrivial but worse than O(1/) with computational d.p. Di w.p. (1+)/2 Di w.p. (1-)/2
Lower Bound for Computing SUM Thm: Every local DP protocol for SUM incurs error (n1/2) whp • Assuming =O(1), =o(1/n) • Improves lower bound of (n1/2/(# rounds)) of [BNO08]. Proof: • Assume =0 for simplicity. • Let (D1,…,Dn) be uniform, independent bits, T=transcript(P1(D1) ,…,Pn(Dn)) • Claim: conditioned T=t, D1,…,Dn are still independent bits, each with bias O()
Lower Bound for Computing SUM Thm: Every local DP protocol for SUM incurs error (n1/2) whp Proof: • (D1,…,Dn) = uniformly random, T= trans(P1(D1) ,…,Pn(Dn)) • Claim: conditioned T=t, D1,…,Dn are still independent bits, each with bias O() • Independence true for any communication protocol • Bias by Bayes Rule & Differential Privacy: = 1+
Lower Bound for Computing SUM Thm: Every local DP protocol for SUM incurs error (n1/2) whp Proof: • (D1,…,Dn) = uniformly random, T= trans(P1(D1) ,…,Pn(Dn)) • Claim: conditioned T=t, D1,…,Dn are still independent bits, each with bias O() • Claim: sum of n independent bits, each with constant bias, falls outside any interval of size o(n1/2) whp. WhpiDi [output(T) – o(n1/2), output(T)+o(n1/2)]
Separation for Two-Party Protocols A’s input: x=(x1,…,xn) {0,1}n, B’s input: y=(y1,…,yn) {0,1}n Goal [MPRV09]: estimate <x,y> (set intersection) • Can be computed by a computational differentially private protocol with error O(1/) • Can be computed by an differentially private protocol with error O(n1/2/) • Thm [MMPTRV10]: Every 2-party DP protocol for <x,y> incurs error (n1/2/log n) whp. -
Lower Bound for Inner Product A’s input: x=(x1,…,xn) {0,1}n, B’s input: y=(y1,…,yn) {0,1}n Thm: Every 2-party DP protocol for <x,y> incurs error (n1/2/log n) whp Proof: • X, Y = uniformly random, T= trans(A(X),B(Y)) • Claim: conditioned T=t, X,Y are independent unpredictable (Santha-Vazirani) sources = 1+
Lower Bound for Inner Product Thm: Every 2-party DP protocol for <x,y> incurs error (n1/2/log n) Proof: • X, Y = uniformly random, T= trans(A(X),B(Y)) • Claim: conditioned T=t, X,Y are independent unpredictable (Santha-Vazirani) sources. • Claim: If X,Y independent, unpredictable sources on {0,1}n, then <X,Y> mod m almost-uniform in Zm for some m = (n1/2/log n) • Randomness extractor! • Generalizes [Vaz86] result for m=2. • Fourier analysis over Zm
Lower Bound for Inner Product Thm: Every 2-party DP protocol for <x,y> incurs error (n1/2/log n) whp Proof: • X, Y = uniformly random, T= trans(A(X),B(Y)) • Claim: conditioned T=t, X,Y are independent unpredictable (Santha-Vazirani) sources. • Claim: If X,Y independent, unpredictable sources on {0,1}n, then <X,Y> mod m almost-uniform in Zm for some m = (n1/2/log n) Whp<X,Y> [output(T)–o(m), output(T)+o(m)]
A Starker Separation Thm [KLNRS `08]: When data is iid samples from unknown distribution , local DP is equivalent to the statistical query (SQ) model. • estimating for bounded . In particular, PARITY functions are not PAC-learnable in the local model [K93]. Thm [KLNRS `08]: PARITY functions can be PAC-learned with centralized DP.
The Need for DP+MPC • Information-theoretic multiparty/local DP has severe limitations compared with centralized DP • Incurs significantly larger error () for simple funcs. • Impossible to achieve for some complex tasks. • Consequences • only companies w/huge data have deployed local DP • motivating hybrid models, where some users get local DP and opt-in users get centralized DP [AHKLZ17] • With MPC & computational security, there is no gap!
Some Research Directions • Efficient/practical constructions of MPC implementations of DP algorithms. • Minimal MPC security or complexity assumptions needed for multiparty DP [HOZ13,KMS14,GKMPS16]. • Develop theory of information-theoretic multiparty DP similar to centralized case.