Skip to main content Accessibility help
×
Hostname: page-component-848d4c4894-cjp7w Total loading time: 0 Render date: 2024-06-27T14:20:15.582Z Has data issue: false hasContentIssue false

14 - Differential Privacy: A Cryptographic Approach to Private Data Analysis

Published online by Cambridge University Press:  05 July 2014

Cynthia Dwork
Affiliation:
Microsoft Research Silicon Valley
Julia Lane
Affiliation:
American Institutes for Research, Washington DC
Victoria Stodden
Affiliation:
Columbia University, New York
Stefan Bender
Affiliation:
Institute for Employment Research of the German Federal Employment Agency
Helen Nissenbaum
Affiliation:
New York University
Get access

Summary

Introduction

Propose. Break. Propose again. So pre-modern cryptography cycled. An encryption scheme was proposed; a cryptanalyst broke it; a modification, or even a completely new scheme, was proposed. Nothing ensured that the new scheme would in any sense be better than the old. Among the astonishing breakthroughs of modern cryptography is the methodology of rigorously defining the goal of a cryptographic primitive – what it means to break the primitive – and providing a clear delineation of the power – information, computational ability – of the adversary to be resisted (Goldwasser and Micali 1984; Goldwasser et al. 1988). Then, for any proposed method, one proves that no adversary of the specified class can break the primitive. If the class of adversaries captures all feasible adversaries, the scheme can be considered to achieve the stated goal.

This does not mean the scheme is invulnerable, as the goal may have been too weak to capture the full demands placed on the primitive. For example, when the cryptosystem needs to be secure against a passive eavesdropper the requirements are weaker than when the cryptosystem needs to be secure against an active adversary that can determine whether or not arbitrary ciphertexts are well formed (such an attack was successfully launched against PKCS#1; Bleichenbacher 1998). In this case the goal may be reformulated to be strictly more stringent than the original goal, and a new system proposed (and proved). This strengthening of the goal converts the propose–break–propose again cycle into a path of progress.

Type
Chapter
Information
Privacy, Big Data, and the Public Good
Frameworks for Engagement
, pp. 296 - 322
Publisher: Cambridge University Press
Print publication year: 2014

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

Abowd, J., Gehrke, J., and Vilhuber, L.. 2009. Parameter exploration for synthetic data with privacy guarantees for OnTheMap. In Proc. Joint UNECE/Eurostat Work Session on Statistical Data Confidentiality (Bilbao, Spain, 2–4 December). Available at (accessed January 9, 2014).
Backstrom, Lars, Dwork, Cynthia, and Kleinberg, Jon. 2007. Wherefore art thou r3579x? Anonymized social networks, hidden patterns, and structural steganography. In Proc. 16th International Conference on World Wide Web, 181–190.
Barthe, Gilles, Köpf, Boris, Olmedo, Federico, and Beguelin, Santiago Zanella. 2012. Probabilistic relational reasoning for differential privacy. In Proc. POPL 2012.
Bleichenbacher, D. 1998. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS# 1. In CRYPTO ’98, LNCS 1462, 1–12.Google Scholar
Blum, A., Dwork, C., McSherry, F., and Nissim, K.. 2005. Practical privacy: The SuLQ framework. In Proc. 24th ACM Symposium on Principles of Database Systems (PODS), 128–138.CrossRef
Blum, A., Ligett, K., and Roth, A.. 2008. A learning theory approach to non-interactive database privacy. In Proc. 40th ACM SIGACT Symposium on Theory of Computing (STOC), 609–618.
Brakerski, Z., and Vaikuntanathan, V.. 2011. Efficient fully homomorphic encryption from (standard) LWE. In Proc. 52nd Annual IEEE Symposium on Foundations of Computing (FOCS), 97–106.
Calandrino, J., Kilzer, A., Narayanan, A., Felten, E., and Shmatikov, V.. 2011. You might also like: Privacy risks of collaborative filtering. In Proc. IEEE Symposium on Security and Privacy (SP), 231–246.
Dinur, I., and Nissim, K.. 2003. Revealing information while preserving privacy. In Proc. 22nd ACM Symposium on Principles of Database Systems (PODS), 202–210.
Duchi, John, Jordan, Michael, and Wainwright, Martin. 2013. Local privacy and statistical minimax rates. In Proc. 54th Annual IEEE Symposium on Foundations of Computer Science (FOCS).
Dwork, C. 2006. Differential privacy. In Proc. 33rd International Colloquium on Automata, Languages and Programming (ICALP), 2:1–12.Google Scholar
Dwork, C., Kenthapadi, K., McSherry, F., Mironov, I., and Naor, M.. 2006a. Our data, ourselves: Privacy via distributed noise generation. In Advances in Cryptology: Proc. EUROCRYPT, 486–503.
Dwork, C., McSherry, F., Nissim, K., and Smith, A.. 2006b. Calibrating noise to sensitivity in private data analysis. In Proc. 3rd Theory of Cryptography Conference (TCC), 265–284.
Dwork, C., McSherry, F., and Talwar, K.. 2007. The price of privacy and the limits of LP decoding. In Proc. 39th ACM Symposium on Theory of Computing (STOC), 85–94.
Dwork, C., and Naor, M.. 2010. On the difficulties of disclosure prevention in statistical databases or the case for differential privacy. Journal of Privacy and Confidentiality 2. Available at .CrossRefGoogle Scholar
Dwork, C., Naor, M., Reingold, O., Rothblum, G., and Vadhan, S.. 2009. When and how can privacy-preserving data release be done efficiently? In Proc. 41st ACM Symposium on Theory of Computing (STOC), 381–390.
Dwork, C., and Yekhanin, S.. 2008. New efficient attacks on statistical disclosure control mechanisms. In Proc. CRYPTO, 468–480.
Dwork, Cynthia, McSherry, Frank, Nissim, Kobbi, and Smith, Adam. 2011. Differential privacy – a primer for the perplexed. In Joint UNECE/Eurostat Work Session on Statistical Data Confidentiality. Available at .
Dwork, Cynthia, Rothblum, Guy N., and Vadhan, Salil P.. 2010. Boosting and differential privacy. In Proc. 51st Annual IEEE Symposium on Foundations of Computer Science (FOCS), 51–60.
Evfimievski, Alexandre, Gehrke, Johannes, and Srikant, Ramakrishnan. 2003. Limiting privacy breaches in privacy preserving data mining. In Proc. 22nd ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems (PODS).
Fienberg, Stephen, Rinaldo, Alessandro, and Yang, Xiaolin. 2011. Differential privacy and the risk-utility tradeoff for multi-dimensional contingency tables. In Privacy in Statistical Databases, LNCS 6344, 187–199.CrossRefGoogle Scholar
Gentry, C. 2009. A fully homomorphic encryption scheme. PhD thesis, Stanford University.
Goldwasser, S., and Micali, S.. 1984. Probabilistic encryption. Journal of Computer and Systems Sciences 28:270–299.CrossRefGoogle Scholar
Goldwasser, Shafi, Micali, Silvio, and Rivest, Ron. 1988. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing 17:281–308.CrossRefGoogle Scholar
Gupta, Anupam, Hardt, Moritz, Roth, Aaron, and Ullman, Jonathan. 2011. Privately releasing conjunctions and the statistical query barrier. In Proc. 43rd Annual ACM Symposium on Theory of Computing (STOC), 803–812.
Hardt, M., Ligett, K., and McSherry, F.. 2012. A simple and practical algorithm for differentially private data release. Advances in Neural Information Processing Systems 25:2348– 2356.Google Scholar
Hardt, M., and Talwar, K.. 2010. On the geometry of differential privacy. In Proc. 42nd ACM Symposium on Theory of Computing (STOC), 705–714.
Hardt, Moritz, and Rothblum, Guy. 2010. A multiplicative weights mechanism for privacy-preserving data analysis. In Proc. 51st Annual IEEE Symposium on Foundations of Computer Science (FOCS), 61–70.
Michael, Hay, Rastogi, Vibhor, Miklau, Gerome, and Suciu, Dan. 2010. Boosting the accuracy of differentially private histograms through consistency. Proc. VLDB Endowment 3(1–2):1021–1032.Google Scholar
Hirsch, D. 2006. Protecting the inner environment: What privacy regulation can learn from environmental law. Georgia Law Review 41.Google Scholar
Homer, N., Szelinger, S., Redman, M., Duggan, D., Tembe, W., Muehling, J., Pearson, J.V., Stephan, D.A., Nelson, S.F., and Craig, D.W.. 2008. Resolving individuals contributing trace amounts of dna to highly complex mixtures using high-density snp genotyping microarrays. PLoS Genetics 4(8):e1000167.CrossRefGoogle ScholarPubMed
Hsu, Justin, Khanna, Sanjeev, and Roth, Aaron. 2012. Distributed private heavy hitters. In Proc. 39th International Colloquium Conference on Automata, Languages, and Programming (ICALP)(Track 1), 461–472.
Isaacman, Sibren, Becker, Richard, Cáceres, Ramón, Kobourov, Stephen, Martonosi, Margaret, Rowland, James, and Varshavsky, Alexancer. 2011. Identifying important places in people’s lives from cellular network data. In Pervasive Computing, LNCS 6696, 133–151.CrossRefGoogle Scholar
Isaacman, Sibren, Becker, Richard, Cáceres, Ramón, Martonosi, Margaret, Rowland, James, Varshavsky, Alexander, and Willinger, Walter. Human mobility modeling at metropolitan scales. 2012. In Proc.10th International Conference on Mobile Systems, Applications, and Services, 239–252.
Kasiviswanathan, Shiva, Homin, K. Lee, Kobbi Nissim, Sofya Raskhodnikova, and Adam Smith. What can we learn privately?SIAM Journal on Computing 40:793–826.CrossRef
Kasiviswanathan, Shiva, Rudelson, Mark, and Smith, Adam. 2012. The power of linear reconstruction attacks. arXiv:1210.2381.
Kocher, P., Jaffe, J., and Jun, B.. 1999. Differential power analysis. In Advances in Cryptology: Proc. CRYPTO’99, 388–397.
Kocher, Paul. 1996. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In Advances in Cryptology: Proc. CRYPTO’96, 104–113.
Machanavajjhala, Ashwin, Kifer, Daniel, Abowd, John, Gehrke, Johannes, and Vilhuber, Lars. 2008. Privacy: Theory meets practice on the map. In Proc. International Conference on Data Engineering (ICDE), 277–286.
McSherry, F. 2009. Privacy integrated queries (codebase). Available on Microsoft Research downloads website. See also Proc. SIGMOD 2009, 19–30.
McSherry, F., and Talwar, K.. 2007. Mechanism design via differential privacy. In Proc. 48th Annual Symposium on Foundations of Computer Science (FOCS), 94–103.
Mir, Darakhshan, Isaacman, Sibren, Cáceres, Ramón, Martonosi, Margaret, and Wright, Rebecca N. 2013. DP-WHERE: Differentially private modeling of human mobility. In Proc. IEEE Conference on Big Data, 580–588.
Mironov, Ilya. 2012. On significance of the least significant bits for differential privacy. In Proc. ACM Conference on Computer and Communications Security (CCS), 650– 661.
Narayanan, Arvind, and Shmatikov, Vitaly. 2008. Robust de-anonymization of large sparse datasets. In Proc. IEEE Symposium on Security and Privacy (SP), 111–125.
Nikolov, Aleksandar, Talwar, Kunal, and Zhang, Li. 2013. The geometry of differential privacy: The sparse and approximate cases. In Proc. 45th ACM Symposium on Theory of Computing (STOC), 351–360.CrossRef
Papadopoulos, S., and Kellaris, G.. 2013. Practical differential privacy via grouping and smoothing. In Proc. 39th International Conference on Very Large Data Bases, 301–312.
Prabhakaran, Manoj, and Sahai, Amit. 2013. Secure Multi-party Computation. Washington, DC: IOS Press.Google Scholar
Roth, Aaron, and Roughgarden, Tim. 2010. Interactive privacy via the median mechanism. In Proc. 42nd ACM Symposium on Theory of Computing (STOC), 765–774.
Roy, Indrajit, Setty, Srinath, Kilzer, Ann, Shmatikov, Vitaly, and Witchel, Emmett. 2010. Airavat: Security and privacy for MapReduce. In Proc. 7th USENIX Symposium on Networked Systems Design and Implementation (NSDI), 10:297–312.Google Scholar
Sweeney, L. 1997. Weaving technology and policy together to maintain confidentiality. Journal of Law, Medicine and Ethics 25:98–110.CrossRefGoogle ScholarPubMed
Sweeney, Latanya. 2012. Keynote Lecture, Second Annual iDASH All-Hands Symposium, UCSD, La Jolla, CA.
Ullman, Jonathan, and Vadhan, Salil P.. 2011. PCPs and the hardness of generating private synthetic data. In Proc. 8th Theory of Cryptography Conference (TCC), 400–416.
Warner, S. 1965. Randomized response: A survey technique for eliminating evasive answer bias. Journal of the American Statistical Association 60:63–69.CrossRefGoogle ScholarPubMed

Save book to Kindle

To save this book to your Kindle, first ensure coreplatform@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about saving to your Kindle.

Note you can select to save to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be saved to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

Find out more about the Kindle Personal Document Service.

Available formats
×

Save book to Dropbox

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Dropbox.

Available formats
×

Save book to Google Drive

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Google Drive.

Available formats
×