Proving differential privacy with shadow execution

Wang, Yuxin; Ding, Zeyu; Wang, Guanhong; Kifer, Daniel; Zhang, Danfeng

doi:10.1145/3314221.3314619

Cited by 49 publications

(64 citation statements)

References 49 publications

(136 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Related work sensitivity-and its derivatives DFuzz [21], Adaptive Fuzz [58], Fuzzi [62], and Duet [44]. Hoare2 [4], a programming language which enforces (pure or approximate) di erential privacy using program veri cation, together with its extension PrivInfer [5] supporting di erentially private Bayesian programming; and other systems using similar ideas [7,1,61,57].…”

Section: Formal Calculi For Dpmentioning

confidence: 99%

A Programming Language for Data Privacy with Accuracy Estimations

Lobo-Vesga

Russo

Gaboardi

2021

ACM Trans. Program. Lang. Syst.

View full text Add to dashboard Cite

Differential privacy offers a formal framework for reasoning about the privacy and accuracy of computations on private data. It also offers a rich set of building blocks for constructing private data analyses. When carefully calibrated, these analyses simultaneously guarantee the privacy of the individuals contributing their data, and the accuracy of the data analysis results, inferring useful properties about the population. The compositional nature of differential privacy has motivated the design and implementation of several programming languages to ease the implementation of differentially private analyses. Even though these programming languages provide support for reasoning about privacy, most of them disregard reasoning about the accuracy of data analyses. To overcome this limitation, we present DPella, a programming framework providing data analysts with support for reasoning about privacy, accuracy, and their trade-offs. The distinguishing feature of DPella is a novel component that statically tracks the accuracy of different data analyses. To provide tight accuracy estimations, this component leverages taint analysis for automatically inferring statistical independence of the different noise quantities added for guaranteeing privacy. We evaluate our approach by implementing several classical queries from the literature and showing how data analysts can calibrate the privacy parameters to meet the accuracy requirements, and vice versa.

show abstract

Section: Formal Calculi For Dpmentioning

confidence: 99%

A Programming Language for Data Privacy with Accuracy Estimations

Lobo-Vesga

Russo

Gaboardi

2021

ACM Trans. Program. Lang. Syst.

View full text Add to dashboard Cite

show abstract

“…A DP mechanism can be so complicated (e.g., the sparse vector technique described in the following section) that the wrong proofs appear [25]. Then, many verification tools using a proof syntax [2,32,34] are proposed to verify the correctness of proof for DP. The idea of the proof syntax is called randomness alignment.…”

Section: Compositionmentioning

confidence: 99%

Asymmetric Differential Privacy

Takagi¹,

Cao²,

Yoshikawa³

2021

Preprint

View full text Add to dashboard Cite

Recently, differential privacy (DP) is getting attention as a privacy definition when publishing statistics of a dataset. However, when answering a decision problem with a DP mechanism, it causes a two-sided error. This characteristic of DP is not desirable when publishing risk information such as concerning COVID-19. This paper proposes relaxing DP to mitigate the limitation and improve the utility of published information. First, we define a policy that separates information into sensitive and non-sensitive. Then, we define asymmetric differential privacy (ADP) that provides the same privacy guarantee as DP to sensitive information. This partial protection induces asymmetricity in privacy protection to improve utility and allow a one-sided error mechanism. Following ADP, we propose two mechanisms for two tasks based on counting query with utilizing these characteristics: top-𝑘 query and publishing risk information of viruses with an accuracy guarantee. Finally, we conducted experiments to evaluate proposed algorithms using real-world datasets and show their practicality and improvement of the utility, comparing state-of-the-art algorithms.

show abstract

“…Within this group are Fuzz [4]-a programming language which enforces (pure) differential privacy of computations using a linear type system which keeps track of program sensitivity-and its derivatives DFuzz [6], Adaptive Fuzz [10], Fuzzi [13], and Duet [50]. Hoare2 [7], a programming language which enforces (pure or approximate) differential privacy using program verification, together with its extension PrivInfer [8] supporting differentially private Bayesian programming; and other systems using similar ideas [43,51,9,52].…”

Section: Related Workmentioning

confidence: 99%

A Programming Framework for Differential Privacy with Accuracy Concentration Bounds

Lobo-Vesga

Russo

Gaboardi

2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Differential privacy offers a formal framework for reasoning about privacy and accuracy of computations on private data. It also offers a rich set of building blocks for constructing private data analyses. When carefully calibrated, these analyses simultaneously guarantee the privacy of the individuals contributing their data, and the accuracy of the data analyses results, inferring useful properties about the population. The compositional nature of differential privacy has motivated the design and implementation of several programming languages aimed at helping a data analyst in programming differentially private analyses. However, most of the programming languages for differential privacy proposed so far provide support for reasoning about privacy but not for reasoning about the accuracy of data analyses. To overcome this limitation, in this work we present DPella, a programming framework providing data analysts with support for reasoning about privacy, accuracy and their trade-offs. The distinguishing feature of DPella is a novel component which statically tracks the accuracy of different data analyses. In order to make tighter accuracy estimations, this component leverages taint analysis for automatically inferring statistical independence of the different noise quantities added for guaranteeing privacy. We evaluate our approach by implementing several classical queries from the literature and showing how data analysts can figure out the best manner to calibrate privacy to meet the accuracy requirements.

show abstract

Proving differential privacy with shadow execution

Cited by 49 publications

References 49 publications

A Programming Language for Data Privacy with Accuracy Estimations

A Programming Language for Data Privacy with Accuracy Estimations

Asymmetric Differential Privacy

A Programming Framework for Differential Privacy with Accuracy Concentration Bounds

Contact Info

Product

Resources

About