Privacy in Statistical Databases
|
|
- Sarah Douglas
- 5 years ago
- Views:
Transcription
1 Privacy in Statistical Databases Individuals x 1 x 2 x n Server/agency ( ) answers. A queries Users Government, researchers, businesses (or) Malicious adversary What information can be released? Two conflicting goals Utility: Users can extract global statistics Privacy: Individual information stays hidden How can these be made precise? (How context-dependent must they be?) 1
2 Why not use crypto definitions? Cryptography successfully defined concepts such as encryption secure function evaluation Recall encryption: Semantic Security : For any function f, distribution on messages and efficient algorithm A, there exists an efficient algorithm A such that: Pr[A(P K, Enc P K (m)) = f(x)] Pr[A (P K) = f(m)] + ɛ Indistinguishability : For any message m, no efficient adversary can tell apart encryptions of m and a default message: Adversary s information quantified precisely Encryption must be randomized Enc P K (0) Enc P K (m) 2
3 Encryption: Real vs Ideal worlds Real world: Alice sends Bob encryption of 100-bit message m, adversary sees ciphertext Ideal world: Alice tells adversary I am sending Bob a message of 100 bits and nothing else. How can you simulate the ideal world, i.e. make the ideal world look like the real word? Have Alice send encryption of = }{{} 100 zeros No adversary can tell the real world from the simulation, and clearly the simulation leaks no information about m! 3
4 Notes about these definitions Security is a property of the algorithm used for encryption You can t point at a particular string and say it is secure Adversary s information and abilities quantified precisely Because we allow adversary side information about the message, all the security resides in the secret key and randomness used for encryption 4
5 Secure Function Evaluation a.k.a. multi-party computation Several parties, each with input xi, want to compute a function f(x1,x2,...,xn) Ideal world: all parties hand their inputs to a trusted party who computes f(x1,...,xn) and releases the result There exist secure protocols for this task Idea: a simulator can geneerate a dummy transcript given only the value of f Privacy: use SFE protocols to jointly data mine Horizontal vs vertical Lots of papers (see optional topics) 5
6 Example: Shamir secret-sharing Given secret value s Distribute shares s1, s2,..., sn such that any single participant learns nothing about s any two participants can reconstruct it Idea: pick a random line that passes through (0,s) s1 = value at x=1, s2 = value at x=2,... Shares of two secrets s and t can be added to obtain shares of s+t Shares can be multiplied to obtain shares of s*t but now you have degree 2 polynomial that passes through (0,s*t) 6
7 Privacy in Statistical Databases Individuals x 1 x 2 x n Server/agency ( ) answers. A queries Users Government, researchers, businesses (or) Malicious adversary What information can be released? Two conflicting goals Utility: Users can extract global statistics Privacy: Individual information stays hidden How can these be made precise? (How context-dependent must they be?) 7
8 Why not use crypto definitions? 8
9 Why not use crypto definitions? Attempt #1: Def n: For every entry i, no information about x i is leaked (as if encrypted) Problem: no information at all is revealed! Tradeoff privacy vs utility 8
10 Why not use crypto definitions? Attempt #1: Def n: For every entry i, no information about x i is leaked (as if encrypted) Problem: no information at all is revealed! Tradeoff privacy vs utility Attempt #2: Agree on summary statistics f(db) that are safe Def n: No information except f(db) Problem: why is f(db) safe to release? Tautology trap (Also: how do you figure out what f is?) C C C C C C 8
11 Why not use crypto definitions? 9
12 Why not use crypto definitions? Problem: Crypto makes sense in settings where the line between inside and outside is well-defined E.g. psychologist: inside = psychologist and patient outside = everyone else 9
13 Why not use crypto definitions? Problem: Crypto makes sense in settings where the line between inside and outside is well-defined E.g. psychologist: inside = psychologist and patient outside = everyone else 9
14 Why not use crypto definitions? Problem: Crypto makes sense in settings where the line between inside and outside is well-defined E.g. psychologist: inside = psychologist and patient outside = everyone else Statistical databases: fuzzy line between inside and outside 9
15 Achieving Differential Privacy Examples Intuitions for privacy Why crypto def s don t apply A Partial* Selection of Definitions Two straw men Blending into the Crowd An impossibility result Attribute Disclosure and Differential Privacy Conclusions * partial = incomplete and biased 10
16 Achieving Differential Privacy Examples Intuitions for privacy Why crypto def s don t apply A Partial* Selection of Definitions Two straw men Blending into the Crowd An impossibility result Attribute Disclosure and Differential Privacy Conclusions Criteria Understandable Clear adversary s goals & prior knowledge / side information * partial = incomplete and biased 10
17 Straw man #1: Exact Disclosure DB= x 1 x 2 x 3 M x n-1 x n San random coins query 1 answer 1 M query T answer T Adversary A 11
18 Straw man #1: Exact Disclosure DB= x 1 x 2 x 3 M x n-1 x n San random coins query 1 answer 1 M query T answer T Adversary A Def n: safe if adversary cannot learn any entry exactly 11
19 Straw man #1: Exact Disclosure DB= x 1 x 2 x 3 M x n-1 x n San random coins query 1 answer 1 M query T answer T Adversary A Def n: safe if adversary cannot learn any entry exactly 11
20 Straw man #1: Exact Disclosure DB= x 1 x 2 x 3 M x n-1 x n San random coins query 1 answer 1 M query T answer T Adversary A Def n: safe if adversary cannot learn any entry exactly leads to nice (but hard) combinatorial problems 11
21 Straw man #1: Exact Disclosure DB= x 1 x 2 x 3 M x n-1 x n San random coins query 1 answer 1 M query T answer T Adversary A Def n: safe if adversary cannot learn any entry exactly leads to nice (but hard) combinatorial problems Does not preclude learning value with 99% certainty or narrowing down to a small interval 11
22 Straw man #1: Exact Disclosure DB= x 1 x 2 x 3 M x n-1 x n San random coins query 1 answer 1 M query T answer T Adversary A Def n: safe if adversary cannot learn any entry exactly leads to nice (but hard) combinatorial problems Does not preclude learning value with 99% certainty or narrowing down to a small interval Historically: 11
23 Straw man #1: Exact Disclosure DB= x 1 x 2 x 3 M x n-1 x n San random coins query 1 answer 1 M query T answer T Adversary A Def n: safe if adversary cannot learn any entry exactly leads to nice (but hard) combinatorial problems Does not preclude learning value with 99% certainty or narrowing down to a small interval Historically: Focus: auditing interactive queries 11
24 Straw man #1: Exact Disclosure DB= x 1 x 2 x 3 M x n-1 x n San random coins query 1 answer 1 M query T answer T Adversary A Def n: safe if adversary cannot learn any entry exactly leads to nice (but hard) combinatorial problems Does not preclude learning value with 99% certainty or narrowing down to a small interval Historically: Focus: auditing interactive queries Difficulty: understanding relationships between queries 11
25 Straw man #1: Exact Disclosure DB= x 1 x 2 x 3 M x n-1 x n San random coins query 1 answer 1 M query T answer T Adversary A Def n: safe if adversary cannot learn any entry exactly leads to nice (but hard) combinatorial problems Does not preclude learning value with 99% certainty or narrowing down to a small interval Historically: Focus: auditing interactive queries Difficulty: understanding relationships between queries E.g. two queries with small difference 11
26 Straw man #2: Learning the distribution 12
27 Straw man #2: Learning the distribution Assume x 1,,x n are drawn i.i.d. from unknown distribution 12
28 Straw man #2: Learning the distribution Assume x 1,,x n are drawn i.i.d. from unknown distribution Def n: San is safe if it only reveals distribution 12
29 Straw man #2: Learning the distribution Assume x 1,,x n are drawn i.i.d. from unknown distribution Def n: San is safe if it only reveals distribution Implied approach: learn the distribution release description of distrib or re-sample points from distrib 12
30 Straw man #2: Learning the distribution Assume x 1,,x n are drawn i.i.d. from unknown distribution Def n: San is safe if it only reveals distribution Implied approach: learn the distribution release description of distrib or re-sample points from distrib Problem: tautology trap estimate of distrib. depends on data why is it safe? 12
31 Two Intuitions for Data Privacy If the release of statistics S makes it possible to determine the value [of private information] more accurately than is possible without access to S, a disclosure has taken place. [Dalenius] Learning more about me should be hard Privacy is protection from being brought to the attention of others. [Gavison] Safety is blending into a crowd 13
32 Blending into a Crowd 14
33 Blending into a Crowd Intuition: I am safe in a group of k or more k varies ( ,000?) 14
34 Blending into a Crowd Intuition: I am safe in a group of k or more k varies ( ,000?) Many variations on theme: Adv. wants predicate g such that 0 < #{ i g(x i )=true} < k g is called a breach of privacy 14
35 Blending into a Crowd Intuition: I am safe in a group of k or more k varies ( ,000?) Many variations on theme: Adv. wants predicate g such that 0 < #{ i g(x i )=true} < k g is called a breach of privacy Why? Fundamental: R. Gavison: protection from being brought to the attention of others Rare property helps me re-identify someone Implicit: information about a large group is public e.g. liver problems more prevalent among diabetics 14
36 Blending into a Crowd Intuition: I am safe in a group of k or more k varies ( ,000?) Many variations on theme: Adv. wants predicate g such that 0 < #{ i g(x i )=true} < k g is called a breach of privacy Why? Fundamental: R. Gavison: protection from being brought to the attention of others Rare property helps me re-identify someone Implicit: information about a large group is public e.g. liver problems more prevalent among diabetics Two variants: frequency in DB frequency in underlying population How can we capture this? 15
37 Blending into a Crowd Intuition: I am safe in a group of k or more k varies ( ,000?) Many variations on theme: Adv. wants predicate g such that 0 < #{ i g(x i )=true} < k g is called a breach of privacy Why? Fundamental: R. Gavison: protection from being brought to the attention of others How can we capture this? Rare property helps me re-identify someone Implicit: information about a large group is public e.g. liver problems more prevalent among diabetics 15
38 Cluster Definitions brown blue Σ blond brown Σ
39 Cluster Definitions Given sanitization S, look at set of all databases consistent with S brown blue Σ blond brown Σ
40 Cluster Definitions Given sanitization S, look at set of all databases consistent with S Def n: Safe if no predicate is a breach for all consistent databases brown blue Σ blond brown Σ
41 Cluster Definitions Given sanitization S, look at set of all databases consistent with S Def n: Safe if no predicate is a breach for all consistent databases k-anonymity [L. Sweeney] brown blue Σ blond brown Σ
42 Cluster Definitions Given sanitization S, look at set of all databases consistent with S Def n: Safe if no predicate is a breach for all consistent databases k-anonymity [L. Sweeney] Sanitization is histogram of data Partition D into bins B 1 [ B 2 [ L [ B t Output bins & cardinalities f j = # ( DB Å B j ) brown blue Σ blond brown Σ
43 Cluster Definitions Given sanitization S, look at set of all databases consistent with S Def n: Safe if no predicate is a breach for all consistent databases k-anonymity [L. Sweeney] Sanitization is histogram of data Partition D into bins B 1 [ B 2 [ L [ B t Output bins & cardinalities f j = # ( DB Å B j ) Safe if for all j, either f j k or f j =0 brown blue Σ blond brown Σ
44 Cluster Definitions Given sanitization S, look at set of all databases consistent with S Def n: Safe if no predicate is a breach for all consistent databases k-anonymity [L. Sweeney] Sanitization is histogram of data Partition D into bins B 1 [ B 2 [ L [ B t Output bins & cardinalities f j = # ( DB Å B j ) Safe if for all j, either f j k or f j =0 brown blue Σ blond brown Σ Cell bound methods [statistics, 1990 s] 16
45 Cluster Definitions Given sanitization S, look at set of all databases consistent with S Def n: Safe if no predicate is a breach for all consistent databases k-anonymity [L. Sweeney] Sanitization is histogram of data Partition D into bins B 1 [ B 2 [ L [ B t Output bins & cardinalities f j = # ( DB Å B j ) Safe if for all j, either f j k or f j =0 brown blue Σ blond brown Σ Cell bound methods [statistics, 1990 s] Sanitization consists of marginal sums Let f z = #{i : x i =z}. Then San(DB) = various sums of f z 16
46 Cluster Definitions Given sanitization S, look at set of all databases consistent with S Def n: Safe if no predicate is a breach for all consistent databases k-anonymity [L. Sweeney] Sanitization is histogram of data Partition D into bins B 1 [ B 2 [ L [ B t Output bins & cardinalities f j = # ( DB Å B j ) Safe if for all j, either f j k or f j =0 brown blue Σ blond brown Σ Cell bound methods [statistics, 1990 s] Sanitization consists of marginal sums Let f z = #{i : x i =z}. Then San(DB) = various sums of f z Safe if for all z, either 9 cons t DB with f z k or 8 cons t DB s, f z =0 16
47 Cluster Definitions Given sanitization S, look at set of all databases consistent with S Def n: Safe if no predicate is a breach for all consistent databases k-anonymity [L. Sweeney] Sanitization is histogram of data Partition D into bins B 1 [ B 2 [ L [ B t Output bins & cardinalities f j = # ( DB Å B j ) Safe if for all j, either f j k or f j =0 brown blue Σ blond brown Σ Cell bound methods [statistics, 1990 s] Sanitization consists of marginal sums Let f z = #{i : x i =z}. Then San(DB) = various sums of f z Safe if for all z, either 9 cons t DB with f z k or 8 cons t DB s, f z =0 Large literature using algebraic and combinatorial techniques 16
48 Cluster Definitions Given sanitization S, look at set of all databases consistent with S Def n: Safe if no predicate is a breach for all consistent databases k-anonymity [L. Sweeney] Sanitization is histogram of data Partition D into bins B 1 [ B 2 [ L [ B t Output bins & cardinalities f j = # ( DB Å B j ) Safe if for all j, either f j k or f j =0 brown blue Σ blond 2[0,12] 10 [0,12] 12 brown 12 [0,14] 6[0,16] 18 Σ Cell bound methods [statistics, 1990 s] Sanitization consists of marginal sums Let f z = #{i : x i =z}. Then San(DB) = various sums of f z Safe if for all z, either 9 cons t DB with f z k or 8 cons t DB s, f z =0 Large literature using algebraic and combinatorial techniques 16
49 Cluster Definitions Given sanitization S, look at set of all databases consistent with S Def n: Safe if no predicate is a breach for all consistent databases k-anonymity [L. Sweeney] Sanitization is histogram of data brown blue Σ Partition D into bins B 1 [ Issues: B 2 [ L [ B t blond [0,12] Output cardinalities f j = # ( DB If k Å is B small: j ) all three Canadians in CSE sing in a choir. brown [0,14] Safe if for all j, either f j k or Semantics? f j =0 Σ Cell bound methods [statistics, 1990 s] Probability not considered Sanitization consists of marginal sums What if I have side information? Algorithm for making decisions if f z = #{i : x i =z} then output = various sums of f not considered z [0,12 ] [0,16 ] Safe if for all z, either 9 cons t DB What with fadversary z k or does 8 cons t this apply DB s, to? f z = large literature using algebraic and combinatorial techniques 17
50 Security for Bayesian adversaries 18
51 Security for Bayesian adversaries Goal: 18
52 Security for Bayesian adversaries Goal: Adversary outputs point z 2 D 18
53 Security for Bayesian adversaries Goal: Adversary outputs point z 2 D Score = 1/f z if f z > 0 0 otherwise 18
54 Security for Bayesian adversaries Goal: Adversary outputs point z 2 D Score = 1/f z if f z > 0 0 otherwise Def n: sanitization safe if E(score) ε 18
55 Security for Bayesian adversaries Goal: Adversary outputs point z 2 D Score = 1/f z if f z > 0 0 otherwise Def n: sanitization safe if E(score) ε Procedure: 18
56 Security for Bayesian adversaries Goal: Adversary outputs point z 2 D Score = 1/f z if f z > 0 0 otherwise Def n: sanitization safe if E(score) ε Procedure: Assume you know adversary s prior distribution over databases 18
57 Security for Bayesian adversaries Goal: Adversary outputs point z 2 D Score = 1/f z if f z > 0 0 otherwise Def n: sanitization safe if E(score) ε Procedure: Assume you know adversary s prior distribution over databases Given a candidate output (e.g. set of marginal sums) Update prior conditioned on output (via Bayes rule) If max z E( score output ) < ε then release Else consider new set of marginal sums 18
58 Security for Bayesian adversaries Goal: Adversary outputs point z 2 D Score = 1/f z if f z > 0 0 otherwise Def n: sanitization safe if E(score) ε Procedure: Assume you know adversary s prior distribution over databases Given a candidate output (e.g. set of marginal sums) Update prior conditioned on output (via Bayes rule) If max z E( score output ) < ε then release Else consider new set of marginal sums Extensive literature on computing expected value 18
59 Security for Bayesian adversaries 19
60 Security for Bayesian adversaries Goal: 19
61 Security for Bayesian adversaries Goal: Adversary outputs point z 2 D 19
62 Security for Bayesian adversaries Goal: Adversary outputs point z 2 D Score = 1/f z if f z > 0 0 otherwise 19
63 Security for Bayesian adversaries Goal: Adversary outputs point z 2 D Score = 1/f z if f z > 0 0 otherwise Def n: sanitization safe if E(score) ε 19
64 Security for Bayesian adversaries Goal: Adversary outputs point z 2 D Score = 1/f z if f z > 0 0 otherwise Def n: sanitization safe if E(score) ε Procedure: 19
65 Security for Bayesian adversaries Goal: Adversary outputs point z 2 D Score = 1/f z if f z > 0 0 otherwise Def n: sanitization safe if E(score) ε Procedure: Assume you know adversary s prior distribution over databases 19
66 Security for Bayesian adversaries Goal: Adversary outputs point z 2 D Score = 1/f z if f z > 0 0 otherwise Def n: sanitization safe if E(score) ε Procedure: Assume you know adversary s prior distribution over databases Given a candidate output (e.g. set of marginal sums) Update prior conditioned on output (via Bayes rule) If max z E( score output ) < ε then release Else consider new set of marginal sums 19
67 Security for Bayesian adversaries Goal: Adversary outputs point z 2 D Score = 1/f z if f z > 0 0 otherwise Def n: sanitization safe if E(score) ε Procedure: Assume you know adversary s prior distribution over databases Given a candidate output (e.g. set of marginal sums) Update prior conditioned on output (via Bayes rule) If max z E( score output ) < ε then release Else consider new set of marginal sums Extensive literature on computing expected value (see Yosi s talk) 19
68 Security for Bayesian adversaries Goal: Issues: Adversary outputs point z 2 DRestricts the type of predicates Score = 1/f z if f z > 0 adversary can choose 0 otherwise Must know prior distribution Def n: sanitization safe if E(score) Can 1 scheme ε work for many Procedure: distributions? Sanitizer works harder than Assume you know adversary s prior distribution over databases adversary Given a candidate output (e.g. set of marginal sums) Conditional probabilities don t consider previous iterations Update prior conditioned on output (via Bayes rule) If max z E( score output ) < ε then release Simulatability [KMN 05] Else consider new set of marginal sums Can this be fixed (with efficient Extensive literature on computing expected computations)? value (see Yosi s talk) 19
69 Blending into a Crowd 20
70 Blending into a Crowd Intuition: I am safe in a group of k or more 20
71 Blending into a Crowd Intuition: I am safe in a group of k or more pros: appealing intuition for privacy seems fundamental mathematically interesting meaningful statements are possible! 20
72 Blending into a Crowd Intuition: I am safe in a group of k or more pros: appealing intuition for privacy seems fundamental mathematically interesting meaningful statements are possible! cons does it rule out learning facts about particular individual? all results seem to make strong assumptions on adversary s prior distribution is this necessary? (yes ) 20
73 Overview Examples Intuitions for privacy Why crypto def s don t apply A Partial* Selection of Definitions Two Straw men Blending into the Crowd An impossibility result Attribute Disclosure and Differential Privacy Conclusions 21
74 Overview Examples Intuitions for privacy Why crypto def s don t apply A Partial* Selection of Definitions Two Straw men Blending into the Crowd An impossibility result Attribute Disclosure and Differential Privacy Conclusions 21
75 An impossibility result 22
76 An impossibility result An abstract schema: Define a privacy breach 8 distributions on databases 8 adversaries A, 9 A such that Pr( A(San) = breach ) Pr( A () = breach ) ε 22
77 An impossibility result An abstract schema: Define a privacy breach 8 distributions on databases 8 adversaries A, 9 A such that Pr( A(San) = breach ) Pr( A () = breach ) ε Theorem: [Dwork-Naor] For reasonable breach, if San(DB) contains information about DB then some adversary breaks this definition 22
78 An impossibility result An abstract schema: Define a privacy breach 8 distributions on databases 8 adversaries A, 9 A such that Pr( A(San) = breach ) Pr( A () = breach ) ε Theorem: [Dwork-Naor] For reasonable breach, if San(DB) contains information about DB then some adversary breaks this definition Example: Adv. knows Alice is 2 inches shorter than average Lithuanian but how tall are Lithuanians? With sanitized database, probability of guessing height goes up Theorem: this is unavoidable 22
79 proof sketch 23
80 proof sketch Suppose If DB is uniform then entropy I( DB ; San(DB) ) > 0 breach is predicting a predicate g(db) 23
81 proof sketch Suppose If DB is uniform then entropy I( DB ; San(DB) ) > 0 breach is predicting a predicate g(db) Pick hash function h: {databases}!{0,1} H(DB San) Prior distrib. is uniform conditioned on h(db)=z 23
82 proof sketch Suppose If DB is uniform then entropy I( DB ; San(DB) ) > 0 breach is predicting a predicate g(db) Pick hash function h: {databases}!{0,1} H(DB San) Prior distrib. is uniform conditioned on h(db)=z Then h(db)=z gives no info on g(db) San(DB) and h(db)=z together determine DB 23
83 proof sketch Suppose If DB is uniform then entropy I( DB ; San(DB) ) > 0 breach is predicting a predicate g(db) Pick hash function h: {databases}!{0,1} H(DB San) Prior distrib. is uniform conditioned on h(db)=z Then h(db)=z gives no info on g(db) San(DB) and h(db)=z together determine DB [DN] vastly generalize this 23
84 Preventing Attribute Disclosure DB= x 1 x 2 x M 3 x n-1 x n San random coins Large class of definitions query 1 answer 1 M query T answer T safe if adversary can t learn too much about any entry E.g.: Cannot narrow X i down to small interval For uniform X i, mutual information I(X i ; San(DB) ) ε How can we decide among these definitions? Adversary A 24
85 Differential Privacy DB= x 1 x 2 x M 3 x n-1 x n Lithuanians example: Adv. learns height even if Alice not in DB Intuition [DM]: Whatever is learned would be learned regardless of whether or not Alice participates San random coins query 1 answer 1 Dual: Whatever is already known, situation won t get worse M query T answer T Adversary A 25
86 Approach: Indistinguishability x 1 x 2. x n A local random coins ( queries answers ) x 1 x 2. x n A local random coins ( queries ) answers x is a neighbor of x if they differ in one row 26
87 Approach: Indistinguishability x 1 x 2. x n A local random coins ( queries answers ) x 1 x 2. x n A local random coins ( queries ) answers x is a neighbor of x if they differ in one row Neighboring databases induce close distributions on transcripts 26
88 Approach: Indistinguishability x 1 x 2. x n A local random coins ( queries answers ) x 1 x 2. x n A local random coins ( queries ) answers x is a neighbor of x if they differ in one row Definition: A is indistinguishable if, for all neighbors x, x, for all subsets S of transcripts Neighboring databases induce close distributions on transcripts Pr[A(x) S] (1 + ɛ)pr[a(x ) S] 26
89 Approach: Indistinguishability Note that ε has to be non-negligible here Triangle inequality: any pair of databases at distance < εn If ε < 1/n then users get no info! Why this measure? Statistical difference doesn t make sense with ε > 1/n E.g. choose random i and release i, xi This compromises someone s privacy w.p. 1 Definition: A is indistinguishable if, for all neighbors x, x, for all subsets S of transcripts Neighboring databases induce close distributions on transcripts Pr[A(x) S] (1 + ɛ)pr[a(x ) S] 27
90 Differential Privacy Another interpretation [DM]: You learn the same things about me regardless of whether I am in the database Suppose you know I am the height of median Canadian You could learn my height from database! But it didn t matter whether or not my data was part of it. Has my privacy been compromised? No! Definition: A is indistinguishable if, for all neighbors x, x, for all subsets S of transcripts Neighboring databases induce close distributions on transcripts Pr[A(x) S] (1 + ɛ)pr[a(x ) S] 28
91 Differential Privacy DB= x 1 x 2 0 M x n-1 x n San random coins query 1 answer 1 M query T answer T Adversary A 29
92 Differential Privacy DB= x 1 x 2 0 M x n-1 x n San random coins Define n+1 games Game 0 : Adv. interacts with San(DB) query 1 answer 1 M query T answer T For each i, let DB -i = (x 1,,x i-1,0,x i+1,,x n ) Game i : Adv. interacts with San(DB -i ) Adversary A 29
93 Differential Privacy DB= x 1 x 2 0 M x n-1 x n San random coins Define n+1 games Game 0 : Adv. interacts with San(DB) query 1 answer 1 M query T answer T For each i, let DB -i = (x 1,,x i-1,0,x i+1,,x n ) Game i : Adv. interacts with San(DB -i ) Bayesian adversary: Adversary A Given S and prior distrib p() on DB, define n+1 posterior distrib s 29
94 Differential Privacy DB= x 1 x 2 0 M x n-1 x n San random coins query 1 answer 1 M query T answer T Adversary A 30
95 Differential Privacy DB= x 1 x 2 0 M x n-1 x n San random coins Definition: San is safe if 8 prior distributions p( ) on DB, query 1 answer 1 M query T answer T 8 transcripts S, 8 i =1,,n StatDiff( p 0 ( S), p i ( S) ) ε Adversary A Note that the prior distribution may be far from both How can we satisfy this? 30
96 Indistinguishability ) Differential Privacy 31
97 Indistinguishability ) Differential Privacy Definition: San is safe if 8 prior distributions p( ) on DB, 8 transcripts S, 8 i =1,,n StatDiff( p 0 ( S), p i ( S) ) ε 31
98 Indistinguishability ) Differential Privacy Definition: San is safe if 8 prior distributions p( ) on DB, 8 transcripts S, 8 i =1,,n StatDiff( p 0 ( S), p i ( S) ) ε 31
99 Indistinguishability ) Differential Privacy Definition: San is safe if 8 prior distributions p( ) on DB, 8 transcripts S, 8 i =1,,n StatDiff( p 0 ( S), p i ( S) ) ε 31
100 Indistinguishability ) Differential Privacy Definition: San is safe if 8 prior distributions p( ) on DB, 8 transcripts S, 8 i =1,,n StatDiff( p 0 ( S), p i ( S) ) ε We can use indistinguishability: For every S and DB: 31
101 Indistinguishability ) Differential Privacy Definition: San is safe if 8 prior distributions p( ) on DB, 8 transcripts S, 8 i =1,,n StatDiff( p 0 ( S), p i ( S) ) ε We can use indistinguishability: For every S and DB: 31
102 Indistinguishability ) Differential Privacy Definition: San is safe if 8 prior distributions p( ) on DB, 8 transcripts S, 8 i =1,,n StatDiff( p 0 ( S), p i ( S) ) ε We can use indistinguishability: For every S and DB: This implies StatDiff( p 0 ( S), p i ( S) ) ε 31
103 Indistinguishability ) Differential Privacy Definition: San is safe if 8 prior distributions p( ) on DB, 8 transcripts S, 8 i =1,,n StatDiff( p 0 ( S), p i ( S) ) ε We can use indistinguishability: For every S and DB: This implies StatDiff( p 0 ( S), p i ( S) ) ε 31
104 Output Perturbation Individuals x1 x 2. x n Server/agency A local random coins Tell me f(x) f(x) + noise User Intuition: f(x) can be released accurately when f is insensitive to individual entries x 1, x 2,..., x n Global Sensitivity: Example: GS f = GS average = 1 n max neighbors x,x f(x) f(x ) 1 ( Theorem ) GSf If A(x) = f(x) + Lap then A is ε-indistinguishable. ε 32
105 Output Perturbation Individuals x1 x 2. x n Server/agency A local random coins Tell me f(x) f(x) + noise User Intuition: f(x) can be released accurately when f is insensitive Global Sensitivity: Example: to individual entries GS f = GS average = 1 n x 1, x 2,..., x n max neighbors x,x f(x) f(x ) 1 ( Theorem ) GSf If A(x) = f(x) + Lap then A is ε-indistinguishable. ε Lipschitz constant of f 32
106 Global Sensitivity: Noise Distribution ( Theorem ) GSf If A(x) = f(x) + Lap then A is ε-indistinguishable. ε Laplace distribution Lap(λ) has density h(y) e y 1 λ h(y) y 33
107 Global Sensitivity: Noise Distribution ( Theorem ) GSf If A(x) = f(x) + Lap then A is ε-indistinguishable. ε Laplace distribution Lap(λ) has density h(y) e y 1 λ h(y+δ) h(y) ( GSf Sliding property of Lap ε ) : h(y) h(y+δ) y eε δ GS f for all y, δ 34
108 Global Sensitivity: Noise Distribution ( Theorem ) GSf If A(x) = f(x) + Lap then A is ε-indistinguishable. ε Laplace distribution Lap(λ) has density h(y) e y 1 λ h(y+δ) h(y) ( GSf Sliding property of Lap ε Proof idea: ) : h(y) h(y+δ) A(x): blue curve A(x ): red curve y eε δ GS f for all y, δ δ = f(x) f(x ) GS f 35
109 Examples of low global sensitivity Example: GS average = 1 n if x [0, 1] n Add noise Lap( 1 ɛn ) Comparison: to estimate a frequency (e.g. proportion of diabetics) in underlying population, get sampling noise Many natural functions have low GS, e.g.: 1 n Histograms and contingency tables Covariance matrix Distance to a property Functions that can be approximated from a random sample [BDMN] Many data-mining and learning algorithms access the data via a sequence of low-sensitivity questions e.g. perceptron, some EM algorithms, SQ learning algorithms 36
110 Why does this help? With relatively little noise: Averages Contingency tables Matrix decompositions Certain types of clustering 37
111 Differential Privacy 38
112 Differential Privacy Protocols 38
113 Differential Privacy Protocols Output perturbation (Release f(x) + noise) Sum queries [DiN 03,DwN 04,BDMN 05] Sensitivity frameworks [DMNS 06, NRS 07] 38
114 Differential Privacy Protocols Output perturbation (Release f(x) + noise) Sum queries [DiN 03,DwN 04,BDMN 05] Sensitivity frameworks [DMNS 06, NRS 07] Input perturbation ( randomized response ) Frequent item sets [EGS 03] (Various learning results) 38
115 Differential Privacy Protocols Output perturbation (Release f(x) + noise) Sum queries [DiN 03,DwN 04,BDMN 05] Sensitivity frameworks [DMNS 06, NRS 07] Input perturbation ( randomized response ) Lower bounds Frequent item sets [EGS 03] (Various learning results) 38
116 Differential Privacy Protocols Output perturbation (Release f(x) + noise) Sum queries [DiN 03,DwN 04,BDMN 05] Sensitivity frameworks [DMNS 06, NRS 07] Input perturbation ( randomized response ) Lower bounds Limits on communication models Noninteractive [DMNS 06] Local [NSW 07] Frequent item sets [EGS 03] (Various learning results) 38
117 Differential Privacy Protocols Output perturbation (Release f(x) + noise) Sum queries [DiN 03,DwN 04,BDMN 05] Sensitivity frameworks [DMNS 06, NRS 07] Input perturbation ( randomized response ) Frequent item sets [EGS 03] (Various learning results) Lower bounds Limits on communication models Noninteractive [DMNS 06] Local [NSW 07] Limits on accuracy Many good answers allow reconstructing database [DiNi 03,DMT 07] 38
118 Differential Privacy Protocols Output perturbation (Release f(x) + noise) Sum queries [DiN 03,DwN 04,BDMN 05] Sensitivity frameworks [DMNS 06, NRS 07] Input perturbation ( randomized response ) Frequent item sets [EGS 03] (Various learning results) Lower bounds Limits on communication models Noninteractive [DMNS 06] Local [NSW 07] Limits on accuracy Many good answers allow reconstructing database [DiNi 03,DMT 07] Necessity of differential guarantees [DN] 38
Differential Privacy
CS 380S Differential Privacy Vitaly Shmatikov most slides from Adam Smith (Penn State) slide 1 Reading Assignment Dwork. Differential Privacy (invited talk at ICALP 2006). slide 2 Basic Setting DB= x 1
More informationPrivacy in Statistical Databases
Privacy in Statistical Databases Individuals x 1 x 2 x n Server/agency ) answers. A queries Users Government, researchers, businesses or) Malicious adversary What information can be released? Two conflicting
More informationDifferential Privacy II: Basic Tools
Differential Privacy II: Basic Tools Adam Smith Computer Science & Engineering Department Penn State IPAM Data 2010 June 8, 2009 Image Oakland Community College 32 33 Techniques for differential privacy
More informationCalibrating Noise to Sensitivity in Private Data Analysis
Calibrating Noise to Sensitivity in Private Data Analysis Cynthia Dwork, Frank McSherry, Kobbi Nissim, and Adam Smith Mamadou H. Diallo 1 Overview Issues: preserving privacy in statistical databases Assumption:
More informationPrivacy-Preserving Data Mining
CS 380S Privacy-Preserving Data Mining Vitaly Shmatikov slide 1 Reading Assignment Evfimievski, Gehrke, Srikant. Limiting Privacy Breaches in Privacy-Preserving Data Mining (PODS 2003). Blum, Dwork, McSherry,
More informationLecture 11- Differential Privacy
6.889 New Developments in Cryptography May 3, 2011 Lecture 11- Differential Privacy Lecturer: Salil Vadhan Scribes: Alan Deckelbaum and Emily Shen 1 Introduction In class today (and the next two lectures)
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationA Note on Differential Privacy: Defining Resistance to Arbitrary Side Information
A Note on Differential Privacy: Defining Resistance to Arbitrary Side Information Shiva Prasad Kasiviswanathan Adam Smith Department of Computer Science and Engineering Pennsylvania State University e-mail:
More informationQuestion 1. The Chinese University of Hong Kong, Spring 2018
CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is
More informationLecture 20: Introduction to Differential Privacy
6.885: Advanced Topics in Data Processing Fall 2013 Stephen Tu Lecture 20: Introduction to Differential Privacy 1 Overview This lecture aims to provide a very broad introduction to the topic of differential
More informationPrivacy of Numeric Queries Via Simple Value Perturbation. The Laplace Mechanism
Privacy of Numeric Queries Via Simple Value Perturbation The Laplace Mechanism Differential Privacy A Basic Model Let X represent an abstract data universe and D be a multi-set of elements from X. i.e.
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationLecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics
0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic
More informationLecture 4: Computationally secure cryptography
CS 7880 Graduate Cryptography September 18, 017 Lecture 4: Computationally secure cryptography Lecturer: Daniel Wichs Scribe: Lucianna Kiffer 1 Topic Covered ε-security Computationally secure cryptography
More informationWhat Can We Learn Privately?
What Can We Learn Privately? Sofya Raskhodnikova Penn State University Joint work with Shiva Kasiviswanathan Homin Lee Kobbi Nissim Adam Smith Los Alamos UT Austin Ben Gurion Penn State To appear in SICOMP
More informationLectures One Way Permutations, Goldreich Levin Theorem, Commitments
Lectures 11 12 - One Way Permutations, Goldreich Levin Theorem, Commitments Boaz Barak March 10, 2010 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier
More informationDifferential Privacy and its Application in Aggregation
Differential Privacy and its Application in Aggregation Part 1 Differential Privacy presenter: Le Chen Nanyang Technological University lechen0213@gmail.com October 5, 2013 Introduction Outline Introduction
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationAnswering Many Queries with Differential Privacy
6.889 New Developments in Cryptography May 6, 2011 Answering Many Queries with Differential Privacy Instructors: Shafi Goldwasser, Yael Kalai, Leo Reyzin, Boaz Barak, and Salil Vadhan Lecturer: Jonathan
More informationDifferential Privacy and Pan-Private Algorithms. Cynthia Dwork, Microsoft Research
Differential Privacy and Pan-Private Algorithms Cynthia Dwork, Microsoft Research A Dream? C? Original Database Sanitization Very Vague AndVery Ambitious Census, medical, educational, financial data, commuting
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationLecture 14: Secure Multiparty Computation
600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationTowards a Systematic Analysis of Privacy Definitions
Towards a Systematic Analysis of Privacy Definitions Bing-Rong Lin and Daniel Kifer Department of Computer Science & Engineering, Pennsylvania State University, {blin,dkifer}@cse.psu.edu Abstract In statistical
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More information[Title removed for anonymity]
[Title removed for anonymity] Graham Cormode graham@research.att.com Magda Procopiuc(AT&T) Divesh Srivastava(AT&T) Thanh Tran (UMass Amherst) 1 Introduction Privacy is a common theme in public discourse
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationLecture 1 Introduction to Differential Privacy: January 28
Introduction to Differential Privacy CSE711: Topics in Differential Privacy Spring 2016 Lecture 1 Introduction to Differential Privacy: January 28 Lecturer: Marco Gaboardi Scribe: Marco Gaboardi This note
More informationQuantitative Approaches to Information Protection
Quantitative Approaches to Information Protection Catuscia Palamidessi INRIA Saclay 1 LOCALI meeting, Beijin 06/11/2013 Plan of the talk Motivations and Examples A General Quantitative Model Quantitative
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More informationApproximate and Probabilistic Differential Privacy Definitions
pproximate and Probabilistic Differential Privacy Definitions Sebastian Meiser University College London, United Kingdom, e-mail: s.meiser@ucl.ac.uk July 20, 208 bstract This technical report discusses
More informationAcknowledgements. Today s Lecture. Attacking k-anonymity. Ahem Homogeneity. Data Privacy in Biomedicine: Lecture 18
Acknowledgeents Data Privacy in Bioedicine Lecture 18: Fro Identifier to Attribute Disclosure and Beyond Bradley Malin, PhD (b.alin@vanderbilt.edu) Professor of Bioedical Inforatics, Biostatistics, and
More informationIndistinguishability and Pseudo-Randomness
Chapter 3 Indistinguishability and Pseudo-Randomness Recall that one main drawback of the One-time pad encryption scheme and its simple encryption operation Enc k (m) = m k is that the key k needs to be
More informationLecture 10. Public Key Cryptography: Encryption + Signatures. Identification
Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationHomework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More informationQuantum Error Correcting Codes and Quantum Cryptography. Peter Shor M.I.T. Cambridge, MA 02139
Quantum Error Correcting Codes and Quantum Cryptography Peter Shor M.I.T. Cambridge, MA 02139 1 We start out with two processes which are fundamentally quantum: superdense coding and teleportation. Superdense
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More information1 Distributional problems
CSCI 5170: Computational Complexity Lecture 6 The Chinese University of Hong Kong, Spring 2016 23 February 2016 The theory of NP-completeness has been applied to explain why brute-force search is essentially
More informationPseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016
Pseudonym and Anonymous Credential Systems Kyle Soska 4/13/2016 Moving Past Encryption Encryption Does: Hide the contents of messages that are being communicated Provide tools for authenticating messages
More informationMultiparty Computation (MPC) Arpita Patra
Multiparty Computation (MPC) Arpita Patra MPC offers more than Traditional Crypto! > MPC goes BEYOND traditional Crypto > Models the distributed computing applications that simultaneously demands usability
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationSecret sharing schemes
Secret sharing schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction Shamir s secret sharing scheme perfect secret
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationChapter 2. A Look Back. 2.1 Substitution ciphers
Chapter 2 A Look Back In this chapter we take a quick look at some classical encryption techniques, illustrating their weakness and using these examples to initiate questions about how to define privacy.
More informationLecture 2: Perfect Secrecy and its Limitations
CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption
More informationProvable Security for Program Obfuscation
for Program Obfuscation Black-box Mathematics & Mechanics Faculty Saint Petersburg State University Spring 2005 SETLab Outline 1 Black-box Outline 1 2 Black-box Outline Black-box 1 2 3 Black-box Perfect
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Secret Sharing Vault should only open if both Alice and Bob are present Vault should only open if Alice, Bob, and Charlie are
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationPassword Cracking: The Effect of Bias on the Average Guesswork of Hash Functions
Password Cracking: The Effect of Bias on the Average Guesswork of Hash Functions Yair Yona, and Suhas Diggavi, Fellow, IEEE Abstract arxiv:608.0232v4 [cs.cr] Jan 207 In this work we analyze the average
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationSecret Sharing CPT, Version 3
Secret Sharing CPT, 2006 Version 3 1 Introduction In all secure systems that use cryptography in practice, keys have to be protected by encryption under other keys when they are stored in a physically
More informationLecture 3,4: Multiparty Computation
CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol,
More information1 Differential Privacy and Statistical Query Learning
10-806 Foundations of Machine Learning and Data Science Lecturer: Maria-Florina Balcan Lecture 5: December 07, 015 1 Differential Privacy and Statistical Query Learning 1.1 Differential Privacy Suppose
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 08 Shannon s Theory (Contd.)
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationLecture 24: Goldreich-Levin Hardcore Predicate. Goldreich-Levin Hardcore Predicate
Lecture 24: : Intuition A One-way Function: A function that is easy to compute but hard to invert (efficiently) Hardcore-Predicate: A secret bit that is hard to compute Theorem (Goldreich-Levin) If f :
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationReport on Differential Privacy
Report on Differential Privacy Lembit Valgma Supervised by Vesal Vojdani December 19, 2017 1 Introduction Over the past decade the collection and analysis of personal data has increased a lot. This has
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationLecture 26: Arthur-Merlin Games
CS 710: Complexity Theory 12/09/2011 Lecture 26: Arthur-Merlin Games Instructor: Dieter van Melkebeek Scribe: Chetan Rao and Aaron Gorenstein Last time we compared counting versus alternation and showed
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationCSCI 5520: Foundations of Data Privacy Lecture 5 The Chinese University of Hong Kong, Spring February 2015
CSCI 5520: Foundations of Data Privacy Lecture 5 The Chinese University of Hong Kong, Spring 2015 3 February 2015 The interactive online mechanism that we discussed in the last two lectures allows efficient
More informationLocally Differentially Private Protocols for Frequency Estimation. Tianhao Wang, Jeremiah Blocki, Ninghui Li, Somesh Jha
Locally Differentially Private Protocols for Frequency Estimation Tianhao Wang, Jeremiah Blocki, Ninghui Li, Somesh Jha Differential Privacy Differential Privacy Classical setting Differential Privacy
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationPrivacy-preserving Data Mining
Privacy-preserving Data Mining What is [data] privacy? Privacy and Data Mining Privacy-preserving Data mining: main approaches Anonymization Obfuscation Cryptographic hiding Challenges Definition of privacy
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More information